New Iranian malware targets Middle Eastern oil

The next generation of Trojan Horses are here, and they're playing the long game.


Middle Eastern oil and gas companies are experiencing a new wave of cyberattacks, IBM X-Force says in a new report published this month.

X-Force, IBM’s security unit, has dubbed this new attack “ZeroCleare” and says in the report that the design and implementation of the attack is “likely [a] collaboration between Iranian state-sponsored groups” designed to either “degrade, disrupt, deceive, or destroy the device/data.”

In a region like the Middle East where oil and gas companies make up a large proportion of the economy, targeting these industries with such an attack can potentially put the entire region’s economy at risk. And while this most recent attack didn’t necessarily devastate the region’s economy just yet, it did successfully infiltrate a number of Windows computers and related servers in these industries.

To do this, the malware used a method not dissimilar to how the Greeks invaded Troy. But instead of a wooden horse, ZeroCleare used an authenticated driver to gain access to the system while secretly bringing in a non-authenticated, malicious driver that then released the malware’s destructive program called “ClientUpdate.exe.”

It’s a generic name, but this program is responsible for wiping the systems’ Master Boot Record (MBR), which helps a physical disk locate a computer’s main storage, and damaging partitions put in place to separate data. Unlike other types of malware that might aim to plant new information on a system, this class of malware (fittingly called a wiper) differs because its goal is instead to wipe the hard drives of infected computers.

This approach is not new. In fact, it has been used before to target Middle Eastern oil and gas companies.

The X-Force report says that ZeroCleare is fairly similar in design and aim to a series of malware attacks that targeted the region starting in 2012 called Shamoon. Both approaches aimed to overwrite the computer’s MBR and used a similar Trojan Horse approach for the infiltration. However, X-Force reports that ZeroCleare was still unique enough that it can be classified as a separate kind of attack instead of a new generation of Shamoon.

The report writes that while destructive cyberattacks are possible anywhere in the world, there is a rising concern in relation to attacks like these on energy and industrial sectors — especially in countries dependent on those industries like the Middle East and Europe.

And because of the international importance of such industries, the report says that the effects of these attacks can be felt even beyond the targeted regions.

“Destructive cyberattacks against energy infrastructure in this arena therefore represent a high-impact threat to both the regional and international markets.”

Even more, when it comes to the state largely sponsoring these attacks, the report says that that this Iranian malware is is not only destructive but is also being used as a way to evade sanctions as well as conduct war-like activity.

“The use of cyber-based weapons in lieu of conventional military tactics presents Iran, in this case, with a low-cost, and potentially non-attributable means of conducting hostile, and even warlike activity. With attribution to one specific group becoming a challenge nowadays, working under the cyber cloak of anonymity can also allow Iran to evade sanctions and preserve its relations with international players who may support its economic and nuclear energy interests.”

So, is all hope lost?

Not necessarily.

Just as there will always be hackers, there will always be ways to incrementally secure your data as well (at least until the next attack….) In its report, X-Force suggests a handful of ways to better secure data, including using treat intelligence, multi-layer security controls, and keeping offline backups of sensitive data.

Related Tags