Shamoon, a piece of malware that tries to turn infected computers into unusable bricks, is back. Earlier this month, a number of cybersecurity firms reported that hackers had used the malware against thousands of computers in Saudi Arabia’s civil aviation agency and other government bodies. According to Bloomberg, the attacks, like previous ones involving Shamoon, seemingly originated from Iran.
Now, the Defense Security Service (DSS), part of the US Department of Defense, has issued a bulletin to cleared contractors warning them of the threat.
“Between 2 and 7 December 2016, DSS was given information from another government agency regarding Indicators of Compromise (IOC) associated with a Shamoon malware variant and may be used in computer network exploitation attempts,” the bulletin, distributed on Thursday and obtained by Motherboard, reads. It does not specify the government agency that provided the information.
These bulletins are sent to contractors to alert them to threats from foreign intelligence entities (FIEs), and in particular, FIEs’ infrastructure, malware, tactics, techniques or procedures.
“This information is being shared by DSS in order to enable potential targets of possible espionage activity to detect, disrupt or deny FIE’s exploitation of cleared contractor information systems, networks or personnel,” it reads.
In 2012, the “Cutting Sword of Justice,” a suspected Iranian hacking group, used Shamoon to aggressively wipe tens of thousands of computers belonging to Saudi Aramco. Aramco is the state-owned oil company of Saudi Arabia.
In the wake of the attack, Armaco had to take itself entirely offline. “No emails, no phones, nothing,” Chris Kubecka, a consultant who worked with Aramco, told an audience at the Black Hat hacking conference last year. The hackers also replaced emails and documents with a picture of a burning American flag, according to The Register.
The new version of Shamoon, however, displays a picture of a Alan Kurdi, the 3-year-old Syrian boy who drowned while trying to cross from Turkey to Greece, according to a report from security company Symantec.
Neither the FBI or the Department of Defense provided comment in time for publication, and the NSA did not respond to a request for comment.