ANNOUNCEMENT FAQ

McAfee Strategic Intelligence/ 2 Frequently Asked Questions

Q. What is the news? activity of a nation-state actor. Taken together, this A. McAfee has linked a series of cyber-attacks in new series of Shamoon cyber espionage campaigns Saudi Arabia to a common malicious actor rather are significantly larger, well-planned, well-resourced, than to individual cyber gangs in the region. and coordinated at a level beyond the limited McAfee Strategic Intelligence researchers have capacity of disparate independent gangs. released evidence that a series of cyber-attacks Q. How can McAfee make these claims? targeting the Persian Gulf and, specifically, Saudia McAfee Strategic Intelligence surveyed the evolution Arabia between 2012 and the present are the work A. of Shamoon-based attacks, from the 2012 attacks of hacker groups supported and coordinated by a on the Persian Gulf energy sector, to the latest common malicious actor, and not the random efforts campaigns in Saudia Arabia in 2016 and 2017. of a variety of individual cyber gangs in the region. McAfee found commonalities between the Shamoon The latest Shamoon campaigns go beyond a samples, tactics and even infrastructure few targets in energy, to many in other critical used in these attacks: sectors that run Saudi Arabia. Whereas earlier

Shamoon campaigns targeted a relatively small ■■ The new attacks used 90% of the original code number of energy sector organizations to disrupt from the 2012 attacks the operations of the region’s critical industry, the ■■ The macro code used in the latest spear-phishing new attacks are focused on a greater number of campaign was also used in the attacks launched organizations in the energy, government, financial by in Spring 2016 services and critical infrastructure sectors of Saudi Arabia to disrupt that entire country. ■■ Some of the new attacks also used some of the same infrastructure previously used by the Oil-RIG The large-scale, sophisticated, coordinated campaign in late 2015. nature of the latest campaigns suggest the Connect With Us

1 McAfee Strategic Intelligence/Shamoon 2 ANNOUNCEMENT FAQ

Q. Why is this different from previous Shamoon ■■ Attack Wave 3: Began January 23, 2017, and discoveries and revelations? ongoing, with similar samples and methods and A. Past research has examined Shamoon attacks TTPs as in Waves 1 and 2. in depth, but haven’t brought forward evidence Q. What was the impact of these attacks? of a substantial overlap in code, tactics and In 2012, the actors moved quickly in and out of the infrastructure to the extent McAfee has today. A. victim’s network, inflicting system-wipe damage and Q. How do these attacks work? then disappearing. A. Step 1. Once a target is identified, the attackers send In 2016, the actors penetrated networks and spear-phishing emails to individuals working within established remote control to gather intelligence for the organization. The recipients of these messages future planned wiping attacks. are chosen carefully, with the assumption that they Unless thwarted, the attackers could have exfiltrated will enable network access to the most sensitive any data of value to them, and then erased the information and systems in the organization. systems’ data and made them unable to boot up Step 2. The email recipient is lured into clicking on and operate. a link within the email or opening a Microsoft Office file embedded with macros that allow the attackers Q. What does this discovery mean? to create backdoor access to the organizations. A. These findings are the latest evidence of rogue state or stateless actors developing increasingly sophisticated Step 3. The attackers conduct reconnaissance and powerful and cyber espionage across the network to identify valuable information capabilities to project geopolitical and strategic and critical systems. power that would otherwise be beyond their reach. Step 4. Once the reconnaissance is complete, Such actors may seek to acquire cyber capabilities the attackers weaponize the attack and wipe the from the Black Market in the same way North Korea hard drives of the master boot records (MBRs). In looked to Pakistan’s Abdul Qadeer Khan to acquire the 2016 to present case, the attackers launched nuclear technologies. multiple simultaneous waves of attacks: They may choose to collaborate with other ■■ Attack Wave 1: Wiped systems on November 17, aspiring actors as Iran and North Korea have in the 2016, at 20:45 Saudi time. development of ballistic missiles. ■■ Attack Wave 2: Wiped systems on November 29, 2016, at 01:30 Saudi time.

2 McAfee Strategic Intelligence/Shamoon 2 ANNOUNCEMENT FAQ

What we know for certain is that cyber tools, tactics, Engagement: The group will also be the primary knowledge, talent and infrastructure are similarly vehicle within McAfee for engagement with law available to actors wishing to acquire them. enforcement, academia, and other organizations, including efforts to take down criminal networks, Q. What else did McAfee announce today? develop new approaches to fighting cybercrime, A. McAfee announced the formation of McAfee and recruit more young people to join the ranks of Strategic Intelligence, a new research team charged cybersecurity professionals. with investigating the technology and tactics of the latest cyberwarfare and cybercrime campaigns, and Q. How does McAfee Labs’ research charter and working with law enforcement to take action against mission differ from that of Strategic Intelligence? networks of cybercriminals. A. McAfee Labs gathers threat intelligence data from The creation of Strategic Intelligence firmly millions of sensors across key threats vectors— establishes McAfee’s commitment to understanding file, web, and network—delivers real-time threat the cyber threat landscape, and will complement intelligence, critical analysis, and expert thinking to the work of McAfee Labs, one of the world’s most improve system protection and reduce risks. prominent sources of threat intelligence data, and McAfee Labs develops core threat detection the technology vulnerability research conducted by technologies that are incorporated into the broadest the Advanced Threat Research team. security product portfolio in the industry. McAfee Labs also engages with McAfee’s many Q. What is McAfee Strategic Intelligence’s mission? cyber threat intelligence sharing partners, including A. The McAfee Strategic Intelligence team will the Cyber Threat Alliance, an independent industry investigate the latest threats, their design, and how organization committed to facilitating the exchange they are built into cyber-attack campaigns, and of the latest threat data. Cyber Threat Alliance inform McAfee customers on how they can protect partners include Check Point, Cisco, Fortinet, Palo themselves and learn from these attacks moving Alto Networks, and Symantec. forward. Areas of research will include advanced malware, , financial fraud, general cybercrime, cyber espionage, cyberwarfare, and protection of industrial control systems.

3 McAfee Strategic Intelligence/Shamoon 2 ANNOUNCEMENT FAQ

Q. How does McAfee Advanced Threat Research’s By researching security vulnerabilities in the areas charter and mission differ from that of Strategic of hardware, firmware, virtualization technologies Intelligence? and crypto software, the McAfee Advanced Threat A. McAfee’s Advanced Threat Research group conducts Research team plays an important role within research into vulnerabilities within the foundational McAfee, particularly as connected environments hardware and software technologies of the industry. because more diverse. Increasingly, people around the world depend Upon discovery of vulnerabilities, the team on technology for their daily affairs. Making coordinates the responsible disclosure and timely this technology trustworthy requires a deep mitigations with affected technology vendors. understanding of how attacks work.

2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or itssubsidiaries in the US and other countries. Other Santa Clara, CA 95054 marks and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC. 3699_0417 888.847 8766 APRIL 2017 www.mcafee.com

4 McAfee Strategic Intelligence/Shamoon 2