Credential Theft: The Key to Shamoon 2 Data Destruction

By Christopher Budd

Christopher Budd is the Senior Threat Communications Manager at Palo Alto Networks where he works alongside the Unit 42 threat intelligence team. Previously, Budd served in similar capacities at Trend Micro and the Microsoft Security Response Center. He is also a Ponemon Fellow.

The problem of stolen credentials is a well-known threat in the security industry. But knowing something is a problem and understanding the full scope are two different things. The Shamoon 2 attacks targeting critical organizations across Saudi Arabia should serve as a clear demonstration about how significant the problem of credential theft is and how taking steps to prevent it can yield truly significant, tangible results in protecting against attacks.

For context, the Shamoon attacks of 2012 and the recent Shamoon 2 attacks of 2016 and 2017 are among the most noteworthy attacks in cybersecurity. They are also among the most shadowy attacks: after five years, we still can’t say for sure who is behind them. And aside from Saudi Aramco – whom former U.S. Secretary of Defense Leon Panetta called out as a target – we can’t say for sure which organizations have been hit by Shamoon and Shamoon 2. There are intimations, insinuations, and even claims that Shamoon and Shamoon 2 are the work of Iranian attackers targeting critical organizations and industries in Saudi Arabia, but they’ve never been fully substantiated.

“The Cipher Brief has become the most popular outlet for former intelligence officers; no media outlet is even a close second to The Cipher Brief in terms of the number of articles published by formers.” —Sept. 2018, Studies in Intelligence, Vol. 62

Access all of The Cipher Brief’s national security-focused expert insight by becoming a Cipher Brief Subscriber+ Member.


Categorized as:Middle East ReportingTagged with:

Related Articles