Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company.
The incident took place on December 29 and the attack did not have a long-lasting effect as only a portion of Bapco’s computer fleet was affected and the company continued their operations after the malware was detonated.
The Bapco security incident came to light in the middle of the rising political tensions between the US and Iran.
Even though the Bapco incident does not seem to be connected to the current US-Iranian political tensions, it does shows Iran’s advanced technical capabilities when it comes to launching destructive cyber-attacks.
The new strain of malware responsible for the Bapco attack was named Dustman. According to an analysis by Saudi Arabia’s cyber-security agency, Dustman is a data wiper malware designed to delete data on infected computers, once launched into execution.
Iranian state-sponsored hackers have a long history of developing data-wiping malware. The Iranian hackers were believed to be linked to data-wiping attacks with a malware strain named ZeroCleare, which was first discovered in September 2019.
Dustman appears to be an upgraded and more advanced version of the ZeroCleare wiper.
As of now, Bapco is the only victim of an attack with the Dustman malware, but it is not known whether the malware was deployed on the network of other targets.
According to the CNA report, attackers have not planned to deploy Dustman at the time they did, but they have triggered the data-wiping process as a last effort to hide forensic evidence after they made a series of mistakes that would have revealed their presence on the hacked network.
Bapco officials became aware of the attack on the on December 30, when employees came to work. They traced back the attack and identified the Dustman malware because some workstations were in sleep mode at the time of the attack.
When these systems were started, they tried to execute the malware, but the antivirus (disabled at the time of the original attack) detected and prevented the attack.
Security experts however could not link the attack to a specific Iranian state-sponsored group due to lack of full visibility in the attack.