Why the Shamoon virus looms as destructive threat

It's been nine months since the milestone Shamoon virus wreaked havoc at Aramco. Shamoon was not designed to steal data. Nor was it just another garden variety denial of service attack, intended to disrupt and embarrass. Shamoon's express purpose was the crippling the Saudi Arabian national oil and natural gas company. It accomplished its mission, destroying data on some 30,000 desktops and servers at the oil company.

The U.S. Departmentof Homeland Security's National Cyber Security Division has updated its standing alert, specifically recommending that IT organizations implement ways to detect propagation of viruses like Shamoon. CyberTruth asked Gord Boyce, ForeScout Technologies' CEO, to frame the go-forward concerns:

CT: Why does concern remain heightened about Shamoon?

Boyce: A decade ago, we used to see viruses that were destructive like Shamoon. But by 2004, the people who write viruses shifted their intentions from notoriety to profit. Since then, most viruses have been designed to remain undetected and unobtrusive. The viruses quietly do their work, such as using your computer to send hundreds of spam messages without your
knowledge. Shamoon is a huge departure.

CT: Is there a consensus about who likely was responsible?

Boyce: No. Most security experts believe that the author of Shamoon was politically motivated. Strong anti-American sentiment was evident within the Shamoon code. For example, there was an image of a burning American flag. Some say that the author of the virus intended to send a message to the Saudi government for supporting controversial American foreign policy in the Middle East.

CT: Should the public be concerned that Shamoon's creators/controllers are likely still active?

Boyce: Yes. After a terrorist event that makes an apparent change in the threat landscape, it is natural and prudent to have a heightened awareness and to exercise defense procedures designed to reduce the risk of a similar event. Shamoon is highly
destructive and an organization infected with this type of malware could experience operational impacts including loss of intellectual property and disruption of critical systems.

CT: What about copycats?

Boyce: Computer forensic experts who have inspected the Shamoon code have stated that Shamoon was not an especially difficult virus to create, so copycat viruses are quite possible.

CT: How would you summarize the go-forward concerns?

Boyce: Organizations have to assume copycat similar attacks might take place and protect against them. The concern is that from a single computer the virus infection can spread internally from computer to computer. And perimeter defenses like firewalls and network intrusion prevention cannot prevent the spread. Organizations need to upgrade their internal network defenses to
ensure even previously unknown malware cannot spread undetected.

CT: Anything else?

Boyce: Traditional measures such as antivirus are not enough to prevent 100 percent of fast-spreading infections. The main thrust of cyberthreats is continuously shifting inside organizational networks; IT security needs to follow suit, and deploy technologies that effectively address those threats over their internal network.