Credential Theft: The Key to Shamoon 2 Data Destruction

Christopher Budd
Senior Threat Communications Manager, Palo Alto Networks

The problem of stolen credentials is a well-known threat in the security industry. But knowing something is a problem and understanding the full scope are two different things. The Shamoon 2 attacks targeting critical organizations across Saudi Arabia should serve as a clear demonstration about how significant the problem of credential theft is and how taking steps to prevent it can yield truly significant, tangible results in protecting against attacks.

For context, the Shamoon attacks of 2012 and the recent Shamoon 2 attacks of 2016 and 2017 are among the most noteworthy attacks in cybersecurity. They are also among the most shadowy attacks: after five years, we still can’t say for sure who is behind them. And aside from Saudi Aramco – whom former U.S. Secretary of Defense Leon Panetta called out as a target – we can’t say for sure which organizations have been hit by Shamoon and Shamoon 2. There are intimations, insinuations, and even claims that Shamoon and Shamoon 2 are the work of Iranian attackers targeting critical organizations and industries in Saudi Arabia, but they’ve never been fully substantiated.

This means there aren’t reliable numbers for the full impact of either or both attacks, but reasonable estimates put the damage of these attacks in the tens of thousands of systems. Successful attacks result in total loss of the system and the data on it; if there are no effective backups to fall back on, the damage equates to total, catastrophic loss. In terms of lost data, this makes Shamoon and Shamoon 2 potentially the most destructive attacks ever, or at least of those publicly available.

The nuts and bolts of the Shamoon 2 attacks show credential theft is the keystone for their success. These attacks enter and spread through an organization in three stages. First, the attackers enter the network remotely and take control of a single system using stolen credentials. Next, they connect from the initially compromised system to other named systems on the network with further stolen credentials and infect them. Finally, they spread from infected systems to other systems on the local network with more stolen credentials and infect them. These three steps highlight a key point: credential theft is the oxygen of successful attacks. It’s necessary for all three stages of the Shamoon 2 attack.

More broadly, it’s a necessary, hidden element in most successful attacks. According to reports, two-thirds of successful attacks involved compromised credentials, and 63 percent of confirmed data breached involved stolen credentials.

Shamoon 2 also shows that stolen credentials not only enable successful attacks, but they also act as a fulcrum that attackers can use to increase the attack leverage of otherwise simple and rudimentary tools.

The tools that comprised the Shamoon 2 attacks in total were actually quite simple. What gives them their power is not the tools themselves but the stolen credentials those tools utilize. This fact runs strongly against expectation. Usually a widely destructive attack like this demonstrates state of the art attack tools. Another strong aspect counterfactual to expectation is that the 2016/2017 Shamoon 2 attacks are little changed when compared to the original 2012 Shamoon attacks. Usually threats evolve quickly, but in this case, the Shamoon attacks didn’t really evolve. Much like sharks, these attacks didn’t evolve because they didn’t need to – they were as effective in 2016/2017 as in 2012.

The key to this effectiveness is credential theft, without which, the attackers likely would have needed to evolve their attacks to be successful. But the kinds of credentials these attackers have stolen, and the level of access it gives them, does the heavy lifting in their attacks. Put simply, they don’t need to develop a sophisticated exploit to own a system when they already own that system.

Obviously, not every attack is as devastating as Shamoon 2. At the moment, Shamoon 2 is a regionally contained threat. But the lessons it gives us about the power and effectiveness of stolen credentials in the hands of attackers shouldn’t be overlooked.

The point of understanding threats is ultimately to work to prevent them. Credential theft can be prevented and mitigated.

User education is a key element in the fight against credential theft. It is often dismissed as ineffective in comparison with technological solutions. The user, however, actually represents not only the last line of defense, but can be the most advanced analyzer of threats out there. The key is helping to educate users on how to evaluate potential credential theft threats like phishing and encouraging them to foster a “trust but verify” culture.

Anti-phishing and anti-malware technologies play key roles in preventing stolen credentials. While these have been around for years, they continue to evolve alongside the threats.

Most importantly on the technological front is the development in recent years of two-factor and multi-factor authentication, as well as one-time passwords. These developments don’t address credential theft per se, but they address the reality of credential theft. These solutions are becoming more common and diminish the value of stolen credentials. For example, in the case of two-factor authentication, it’s significantly harder to steal the full credential set and the most commonly stolen credentials, such as usernames and/or passwords, are incomplete. In the case of one-time passwords, a stolen password has limited to no usefulness.

The point of understanding successful attacks isn’t to say what an organization should or shouldn’t have done. The point is to understand what happened in order to learn what attackers are doing and move to adapt to their tactics to prevent future attacks from being successful. 

The Author is Christopher Budd

Christopher Budd is the Senior Threat Communications Manager at Palo Alto Networks where he works alongside the Unit 42 threat intelligence team. Previously, Budd served in similar capacities at Trend Micro and the Microsoft Security Response Center. He is also a Ponemon Fellow.

Learn more about The Cipher's Network here