United States officials have insisted on numerous occasions that the Shamoon malware, the one used in the cyberattacks against Saudi Aramco, is the work of Iran. However, new evidence suggests that it could be the work of an extremist Islamist group based in Saudi Arabia.
US authorities have said that a malware developed by amateurs couldn’t have damaged around 30,000 computers, as Shamoon has done in the case of Saudi Aramco. They have assumed that a nation state, more precisely Iran, is behind the malware and the attacks it has been used in.
However, Defence IQ has been provided with a summary report by John Bumgarner, the chief technology officer of the U.S. Cyber Consequences Unit. The report makes some interesting assumptions regarding the malware’s origin.
For instance, Shamoon was programmed to activate on August 15, 2012. On the same day, Saudi Arabia celebrated Laylat al-Qadr, an important religious event part of Ramadan.
Furthermore, the malware was configured so that it would step into play at 11:08 AM Arabia Standard Time. 11:08 could be a reference to Chapter 11, verse 8 of the Holy Quran, which talks about punishments.
This verse reads: “If We delay in afflicting them with Our punishment for an appointed time, they ask, What is preventing it (the punishment) from taking place? On the day when it (punishment) befalls them, no one will be able to escape from it and that which they have mocked will surround them from all sides.”
It’s also worth noting that the name of the group that has taken credit for the Saudi Aramco attacks, the Cutting Sword of Justice, might be related to several things, such as the scimitar sword from Saudi Arabia’s flag.
In addition, the malware author stored the virus code in a folder called Arabian Gulf, the name used by individuals living in Saudi Arabia, the United Arab Emirates, Bahrain, Kuwait, Oman and Qatar for the Persian Gulf.
Experts believe that the use of the string “wiper” in the code of Shamoon doesn’t mean that it’s connected to the Wiper malware identified by Iran in April 2012. Instead, it might be a deception tactic to shift focus towards Iran.