After falling dormant for four years, the Shamoon malware resurfaced last month, hijacking the computers of at least six organizations in Saudi Arabia to display the body a 3-year-old Syrian refugee who drowned in the Mediterranean last year, security experts said.
The virus closely resembles its original 2012 variant, which targeted Saudi Arabian oil companies by wiping the master boot records of their computers and replacing them with an image of a burning American flag, Symantec security researchers wrote in a blog post.
The most recent wave of attacks attack began in mid-November, and targeted the computers of the agency running Saudi Arabia's airports as well as five other organizations, Bloomberg reports.
They were carefully coordinated, with usernames and passwords that appear to have been stolen from the targeted organizations, and timed to attack at the end of the Saudi work week on Thursday evening, according to Symantec.
The hackers' identity and motivation are unclear, although Bloomberg reports that they may be state-sponsored, and that Saudi Arabian officials suggest that the attacks originated from Iran. The word "shinu" appears in the hackers' code, according to Palo Alto Networks, which could be a reference to the Arabic word for "what," or the name of a town in northwestern Iran.
Symantec has issued security updates for its antivirus products as of Friday that can detect the new Shamoon attack, and its rival McAfee said on Monday that it's investigating. According to Symantec, the malware proliferates over a target network in several phases. First, a "dropper" service spreads itself to multiple computers, and then downloads a driver to allow it to bypass Windows APIs and overwrite the hard disk. Finally, the malware ommunicates with the attackers' servers to send verification that the disk has been wiped.
Citing people familiar with the Saudi investigation, Bloomberg reports that thousands of computers at the aviation authority were affected and had their data erased.