threatintel
actor tracker
Named attack · kill-chain walkthrough

Shamoon

Iranian wiper that crippled Saudi Aramco

APT33 (Cutting Sword of Justice persona)August 15, 2012Moderate confidence

The 'Cutting Sword of Justice' hacktivist persona publicly claimed credit for the August 2012 attack. Broad community consensus attributes the Shamoon/Disttrack toolset to Iranian state-sponsored actors operating against Persian Gulf energy targets. MITRE ATT&CK (S0140) identifies the 2012 operator as 'an Iranian group known as the Cutting Sword of Justice'. Note: FireEye's 2017 APT33 report (G0064) explicitly distinguishes APT33 from the Shamoon operators, assessing them as separate Iranian threat groups — the actor_id here follows the project's seed data mapping to the broader Iranian cluster.

On August 15, 2012 — the eve of Lailat al Qadr, the holiest night of the Islamic year — a three-component wiper malware called Disttrack (Shamoon) detonated across Saudi Aramco's network, destroying approximately 30,000 workstations in hours. The dropper propagated via hardcoded stolen domain credentials and SMB admin shares; the wiper component leveraged a legitimate EldoS RawDisk kernel driver to overwrite Master Boot Records and file contents with fragments of a burning American flag JPEG. Saudi Aramco spent roughly two weeks restoring operations and reportedly purchased a significant fraction of the global hard-drive supply to rebuild. Shamoon 2 returned in November 2016 (targeting Saudi organizations during another Islamic holiday weekend) and Shamoon 3 appeared in December 2018, underscoring the long-running and operationally disciplined nature of this Iranian threat cluster.

scene 00 / 06
Aug 15, 2012eve of Lailat al Qadr(holiest Islamic night)Saudi AramcoWindows domain networkstolen domain admin credsT1078.002 · T1566.001pre-stageCutting Sword ofJusticeIranian state-nexus clusterDisttrack dropperDropperPKCS7/PKCS12signed installerReporterNETINIT.EXEbeacons C2Wiperdrdisk.sysEldoS RawDiskT1543.003 · T1140 · T1124 · T1569.002svc: ntssrv"MS Network RealtimeInspection Service"gethostbyname() →scan /24 · copy → 256 hostsRemoteRegistry enableUAC bypass (reg key)T1021.002 · T1112SMB admin share copysvc or NetScheduleJobT1570 · T1053.005scans x.x.x.0–255hardcoded stolen credsT1018 · T1078.002patientzerohosthosthosthosthosthosthosthosthosthosthosthosthosthostNETINIT.EXE beaconHTTP → 10.1.252.19:80/ajax_modal/modal/data.asp?mydata=…T1071.001 · T1082 · T1016C2: internal hostcmd E = deliver payloadcmd T = set wipe timeEldoS RawDisksigned kernel driverdrdisk.sys serviceSHA256: ba19b5f5e01…9d3aT1036.004 · T1027Clock resetset date → Aug 2012keeps trial license validEldoS 30-day eval bypassT1070.006 · T1134.001Masquerade namecaclsrv / dfrag / certutlwiper picks from listblends with sysadmin toolsT1036.004
  1. Phase 01 · Initial AccessTA0001

    Operators obtained domain credentials before the attack and hardcoded them into the dropper

    • Pre-attack reconnaissance yielded legitimate administrator credentials for Saudi Aramco's internal Windows domain; these were not guessed or brute-forced — the credentials were specific enough that Unit 42 researchers assessed they were stolen prior to dropper compilation.
    • The credentials and internal domain names were embedded in plaintext inside the Disttrack dropper binary, a deliberate design choice that gave up stealth for reliable, fast propagation.
    • The initial foothold on the network is not fully documented in public reporting; analysts assess spear-phishing or a pre-staged remote-access mechanism as the most likely entry vector given the attacker's knowledge of internal domain structure.
    • RasGas (Qatar) was struck in a separate wave approximately two weeks later, suggesting the operators had pre-positioned access or a parallel intrusion chain against a second Gulf energy target.
    Techniques
    T1078.002 · Valid Accounts: Domain AccountsT1566.001 · Phishing: Spearphishing Attachment
    Sources
  2. Phase 02 · ExecutionTA0002

    The dropper installed itself as a Windows service and decrypted two embedded payloads from encrypted resources

    • The main Disttrack dropper is a self-contained ~900 KB PE file containing three components encrypted within named resources: 'PKCS7' (communications/reporter module, saved as NETINIT.EXE) and 'PKCS12' (wiper module, saved with a randomized filename from a hardcoded list under %WINDIR%\System32).
    • Each component is decrypted with a per-resource base64-encoded XOR key. The dropper subtracts 14 from the offset value in its configuration as an additional obfuscation layer before reading ciphertext.
    • The dropper created a Windows service named 'ntssrv' with a convincing display name ('Microsoft Network Realtime Inspection Service') and description to blend into the service registry.
    • Execution was timed: the dropper checked system time against a preset activation date (hardcoded as 2012-08-15 for the original wave) and would only release the wiper component once that threshold was crossed — enabling detonation to be pre-staged across many systems simultaneously.
    Techniques
    T1543.003 · Create or Modify System Process: Windows ServiceT1140 · Deobfuscate/Decode Files or InformationT1124 · System Time DiscoveryT1569.002 · System Services: Service Execution
    Indicators
    ntssrv — Shamoon service name — 'Microsoft Network Realtime Inspection Service'NETINIT.EXE — Reporter/communications module, saved under %WINDIR%\System32drdisk.sys — EldoS RawDisk kernel driver, installed as service 'drdisk'4744df6ac0…8406f6 — drdisk.sys — EldoS RawDisk driver (same binary in 2012 and 2016 waves) — Unit 42
    Sources
  3. Phase 03 · Lateral MovementTA0008

    Disttrack spread worm-like across the /24 subnet using hardcoded stolen credentials and SMB admin shares

    • The dropper called gethostbyname() and gethostname() to determine its local IP address, then enumerated all 256 hosts in the same /24 network segment (x.x.x.0–255), attempting to reach each one.
    • On each remote host, the dropper first enabled the RemoteRegistry service via NetUseAdd with the hardcoded domain credentials, then set the LocalAccountTokenFilterPolicy registry value to 1 to disable UAC remote restrictions.
    • With UAC bypassed, the dropper copied itself to \System32\ntssrvr32.exe on the remote system via an admin share (C$) and chose between two delivery methods: creating a remote service ('ntssrv') or scheduling an unnamed job via NetScheduleJobAdd with the remote time of day plus 90 seconds.
    • Fallback propagation also used PsExec for systems where the service/schedule method failed, as noted in MITRE S0140.
    • No SMB exploits were used — unlike contemporaneous worms, Shamoon relied entirely on legitimate administrative access with stolen credentials.
    Techniques
    T1021.002 · Remote Services: SMB/Windows Admin SharesT1112 · Modify RegistryT1548.002 · Abuse Elevation Control Mechanism: Bypass User Account ControlT1570 · Lateral Tool TransferT1018 · Remote System DiscoveryT1053.005 · Scheduled Task/Job: Scheduled TaskT1569.002 · System Services: Service Execution
    Sources
  4. Phase 04 · Command & ControlTA0011

    NETINIT.EXE beaconed victim telemetry over HTTP and awaited two possible commands from a hardcoded internal IP

    • The reporter module (NETINIT.EXE) connected over HTTP to a hardcoded C2 address (10.1.252.19 in the 2012 sample — an internal network address, suggesting the operator controlled a compromised internal host as the C2 node) using WinInet functions.
    • Each beacon included system tickcount, local IP, OS version, keyboard layout, and a file marker as a URL parameter (e.g. /ajax_modal/modal/data.asp?mydata=_3&uid=192.168.150.130&state=1568062).
    • The C2 supported two commands: 'E' to deliver and execute an arbitrary payload, and 'T' to set an override activation time for the wiper (stored in %WINDIR%\inf\netft429.pnf).
    • NETINIT.EXE looped continuously, checking for the wiper's completion-signal file (%WINDIR%\inf\netfb318.pnf) before terminating; the C2 design was intentionally minimal — the operator prioritized destruction over durable remote access.
    Techniques
    T1071.001 · Application Layer Protocol: Web ProtocolsT1082 · System Information DiscoveryT1016 · System Network Configuration Discovery
    Sources
  5. Phase 05 · Defense EvasionTA0005

    A legitimate, signed EldoS RawDisk driver gave the wiper kernel-level disk access without triggering OS protections

    • The wiper extracted a signed kernel-mode driver (drdisk.sys) from its resource section, decrypted it with a 226-byte XOR key, and installed it as a service — giving the wiper direct disk access via the ElRawDisk device interface without needing to call protected Windows APIs.
    • EldoS RawDisk is a legitimate commercial product for low-level disk access; its signed status allowed it to bypass driver signing enforcement. The same trial license key (embedded in the driver) was used across the 2012, 2016, and 2018 waves.
    • To keep the temporary RawDisk trial license valid, the wiper reset the system clock to a random date in August 2012 before opening the ElRawDisk device — disguising the time-tampering as a side effect of legitimate driver initialization.
    • The wiper renamed itself using a filename drawn from a hardcoded list of plausible-sounding Windows utilities (e.g., caclsrv, certutl, dfrag, dvdquery) to avoid simple name-based detection.
    • Disttrack also timestomped files (T1070.006) to complicate forensic timeline reconstruction.
    Techniques
    T1036.004 · Masquerading: Masquerade Task or ServiceT1070.006 · Indicator Removal: TimestompT1027 · Obfuscated Files or InformationT1134.001 · Access Token Manipulation: Token Impersonation/Theft
    Sources
  6. Phase 06 · ImpactTA0040

    ~30,000 Aramco workstations wiped on Lailat al Qadr; MBRs overwritten with fragments of a burning American flag

    • The wiper enumerated files under C:\Documents and Settings, C:\Users (Downloads, Documents, Pictures, Video, Music, Desktop), C:\Windows\System32\Drivers, and C:\Windows\System32\Config, then overwrote each file's contents with repeated 1,024-byte fragments of a burning U.S. flag JPEG (sourced from Wikimedia Commons — the PDB path 'C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb' left no ambiguity about political intent).
    • After overwriting files, the wiper used the ElRawDisk device interface to overwrite the Master Boot Record and partition tables of each storage volume, rendering the system permanently unbootable.
    • The wiper ended by issuing 'shutdown -r -f -t 2', forcing an immediate reboot into an unrecoverable state.
    • Approximately 30,000 workstations were destroyed at Saudi Aramco on August 15, 2012; RasGas in Qatar suffered a separate destructive wave roughly two weeks later. Saudi Aramco reportedly purchased a large share of the world's hard-drive supply to accelerate hardware replacement, and recovery took approximately two weeks.
    • Successor campaigns demonstrate the template's durability: Shamoon 2 (November 17, 2016 and January 2017) again struck Saudi energy and government organizations on a work-week holiday boundary; Shamoon 3 (December 2018) targeted an oil and gas organization. The 2016 variant overwrote files with an image of Alan Kurdi rather than the flag, maintaining the political-image motif.
    Techniques
    T1485 · Data DestructionT1561.002 · Disk Wipe: Disk Structure WipeT1529 · System Shutdown/Reboot
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • APT33 (Cutting Sword of Justice persona)
Capability
  • T1078.002
  • T1566.001
  • T1543.003
  • T1140
  • T1124
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources