Saudi cyber authority uncovers new data-wiping malware, and experts suspect Iran is behind it

It's the latest sign that Iranian computer operatives are interested in using data-wiping attacks to disrupt organizations in the Middle East.
Riyadh, Saudi Arabia
Riyadh, Saudi Arabia at night. The country's National Cybersecurity Authority has warned of a new destructive malware variant (CC0 Creative Commons).

Around the time that tensions between the U.S. and Iran started mounting last month, authorities in Saudi Arabia discovered a new variant of data-wiping malware that cybersecurity analysts suspect originated with Iranian hackers.

The attackers deployed the malware against an unnamed target on Dec. 29 with “urgency,” rushing to execute their malware and in the process leaving clues behind on the victim network, according to a technical report from Saudi Arabia’s National Cybersecurity Authority (NCA) obtained by CyberScoop.

“Signs of compromise of the network dating back a few months before destructive payload was detonated,” says the memo, which was distributed to cybersecurity specialists who protect critical infrastructure.

While the advisory doesn’t identify the culprit suspected in the attack, it does suggest the work of state-sponsored hackers. Analysts familiar with the attack told CyberScoop that the activity bore technical similarities to previous hacking out of Iran. This advisory, first reported by Yahoo News, is the latest indication that Iranian computer operatives apparently are using data-wiping malware to disrupt organizations in the Middle East.


“It is in line with the previous activities we saw from groups attributed to Iran,” said a cybersecurity analyst based in the Middle East who declined to be named because of the sensitivity of the issue. “Yet the damage has been limited compared to previous years due to NCA’s heavy involvement with the target at early stages.”

The memo comes to light following the U.S. killing on Jan. 3 of Qassem Soleimani, Iran’s most powerful general, and Iran’s ensuing retaliatory missile strikes on Iraqi military bases housing U.S. forces. As the conflict has become more fraught, U.S. officials and private sector security experts have warned of Iran’s ability to strike back online. Iranian operatives could, for example, carry out data-destroying hacks, or conduct cyber-espionage “to enable a better understanding of our strategic direction and policy-making,” the Department of Homeland Security’s cybersecurity division said Monday.

Iranian hackers could also target organizations in Saudi Arabia, a U.S. ally. A 2012 cyberattack on Saudi Aramco that disabled tens of thousands of computers at the state-owned oil giant relied on Shamoon wiper malware, which U.S. officials have suggested was designed by Iran.

The incident last month was the latest reminder that the threat has not subsided.

How the hack worked


The malware used in the Dec. 29 attack, dubbed Dustman, contains multiple malicious files, including a wiper, which destroys data. Saudi authorities described Dustman as a variant of malware that had been used in data-wiping attacks against industrial organizations in the Middle East late last year. IBM, which uncovered that attack, attributed it to APT34, a hacking group associated with the Iranian government.

The Saudis believe the hackers may have broken into the target network by exploiting a known vulnerability in a virtual private network application that was disclosed last July. From there, the hackers accessed domain and administrative accounts on the victim’s network and eventually executed the Dustman malware.

The malware was “compiled, possibly on the threat actor infrastructure, [a] few minutes before deploying it on the victim’s network,” the advisory says. “This is inconsistent with known destructive attacks as they [are] usually tested before being deployed.”

It was not immediately clear if other organizations were targeted by the Dustman malware. The NCA could not be reached for comment.

The Dustman malware is “consistent with Iranian capability and operations going back to 2012,” said Adam Meyers, vice president of intelligence at cybersecurity company CrowdStrike, referring to the 2012 attack on Saudi Aramco. “It’s the latest variant in a line of wiping tools that’s meant to cause data disruption and destruction.”


“This is part of the likely retaliatory package that is being considered by Iran,” Meyers told CyberScoop. “They understand the asymmetric power of cyber operations.”

Meyers compared Iran’s alleged data-destroying operations against Saudi organizations to the way Russian hackers conduct waves of cyberattacks on Ukrainian targets as a means of regional intimidation.

“It’s meant to have a psychological impact on the target,” he said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts