Iran's foray into data-wiping malware goes back to 2012 when they developed Shamoon (also known as Disttrack), a piece of malware that was responsible for wiping more than 32,000 PCs at the Saudi Aramco oil company in Saudi Arabia, in one of the world's most infamous cyber-attacks.
Two more Shamoon versions were discovered in the following years, Shamoon v2 (used in 2016 and 2017) and Shamoon v3 (used in 2018 and 2019).
According to a report published by IBM X-Force, Iranian hackers are also linked to data-wiping attacks with a second different malware strain named ZeroCleare, first discovered in the wild in September 2019.
Per Saudi CNA officials, Dustman appears to be an upgraded and more advanced version of the ZeroCleare wiper that was discovered last fall -- which, in turn, had multiple code similarities with the original Shamoon.
The main shared component between all three strains is EldoS RawDisk, a legitimate software toolkit for interacting with files, disks, and partitions. The three malware strains use different exploits and techniques to elevate initial access to admin-level, from where they unpack and launch the EldoS RawDisk utility to wipe data on infected hosts.
Since Dustman is considered an evolved version of ZeroCleare, most of the code is the same, but Saudi CNA officials who analyzed the malware said Dustman comes with two important differences:
Dustman's destructive capability and all needed drivers and loaders are delivered in one executable file as opposed to two files, as was the case with ZeroCleare.
Dustman overwrites the volume, while ZeroCleare wipes a volume by overwriting it with garbage data (0x55)
Sources tell ZDNet that the targeting of Bapco with Dustman fits in the regular modus operandi of known Iranian state-sponsored hackers.
Historically, prior to the Dustman deployment on December 29, Iranian hackers used Shamoon and ZeroCleare exclusively against companies in the oil and gas field.
Past targets included companies with ties to the Saudi regime and Saudi Aramco, Saudi Arabia's national oil company. Iran and Saudi Arabia have had strained relations since the 1970s, due to differences in the interpretation of Islam, and because of their competition on the oil export market.
Bapco is a company fully owned by the Bahrain regime, a country that has had strained political relations with the Tehran regime, and which is a known business partner of Saudi Aramco.
HOW THE ATTACK TOOK PLACE
At the time of writing, Bapco appears to be the only victim of an attack with the Dustman malware, although this doesn't mean the malware was not deployed on the network of other targets.
According to the CNA report, attackers don't seem to have planned to deploy Dustman at the time they did, but appear to have triggered the data-wiping process as a last-ditch effort to hide forensic evidence after they made a series of mistakes that would have revealed their presence on the hacked network.
Sources who spoke with ZDNet on the condition of anonymity claimed the Bahrain company was compromised over the summer.
Saudi CNA officials, along with our sources, confirmed the point of entry was the company's VPN servers. The CNA report cites "remote execution vulnerabilities in a VPN appliance that was disclosed in July 2019" as the attackers' point of entry into Bapco's network
While officials didn't blame any specific appliance, they are most likely referring to a Devcore report published over the summer that disclosed remote execution bugs in a wealth of enterprise-grade VPN servers, such as those from Fortinet, Pulse Secure, and Palo Alto Networks.
Here is where our sources diverged. Some said hackers exploited a vulnerability in Pulse Secure servers, while others pointed the finger at Fortinet VPN servers.
A search with the BinaryEdge search engine shows that a part of the vpn.bapco.net network does, indeed, run on Fortinet VPN appliances. However, it may also be possible that Bapco ran Pulse Secure servers in the past, which it has taken down, in the meantime.
Either way, while our sources differed on the exact VPN server exploited in the attack, they did agree that this is where hackers broke in. According to the Saudi CNA report, hackers gained control over the VPN server, then escalated their access to the local domain controller.
We cite from the report:
The threat actor obtained domain admin and service accounts on the victim's network, which was used to run "DUSTMAN" malware on all of the victim's systems. The attacker utilized the anti-virus management console service account to distribute the malware across the network.
The threat actor accessed the victim's network and copied the malware and the remote execution tool "PSEXEC" into the anti-virus management console server, which was connected to all machines within the victim's network due to the nature of its functionality. Few minutes later, the attacker accessed the storage server of the victims and deleted all volumes manually.
The attackers then executed a set of commands on the anti-virus management control to distribute the malware to all connected machines, and through (PSEXEC) the malware executed and dropped (3) additional files, two drivers and the wiper. Most of the connected machines were wiped.