Shamoon 2 wiper attacks on Saudi government

Beginning on the evening of 17 November 2016, a reactivated version of the Shamoon disk-wiping malware — also known as Disttrack — tore through computers at multiple Saudi government organizations, most prominently the General Authority of Civil Aviation (GACA). The campaign, dubbed Shamoon 2, marked the return of the same malware family that had crippled Saudi Aramco in 2012.

What happened

The malware was pre-configured with a hard-coded trigger time. At 8:45 p.m. local time on 17 November, infected machines began overwriting files and then destroyed the master boot record (MBR), leaving systems unable to reboot. Where the 2012 Shamoon had drawn a burning U.S. flag, Shamoon 2 overwrote files with the photograph of Alan Kurdi, the drowned Syrian toddler whose image became a symbol of the refugee crisis — an apparent political message.

Analysts at Palo Alto Networks' Unit 42 identified at least three waves: 17 November 2016, 29 November 2016, and 23 January 2017. The attackers used legitimate domain credentials — likely harvested in earlier intrusions — to spread laterally, and a later wave specifically targeted Huawei virtual desktop infrastructure (VDI), embedding hard-coded administrator credentials to wipe even virtualized environments.

Impact

Thousands of computers were reportedly destroyed at GACA's headquarters, with data erased and operations disrupted for several days.
Multiple other Saudi government and civil bodies, including labour and transport-related agencies, were affected across the three waves.
GACA publicly downplayed the impact, stating that only office administration systems — not aviation safety or air-traffic systems — were hit.
Because Shamoon is purely destructive, there was no data exfiltration or ransom; the goal was disruption and sabotage.

Attribution

The Shamoon family is widely attributed by Western governments and researchers to Iranian state-sponsored actors, with the campaigns linked to groups tracked as APT33 and OilRig. Kaspersky's research connected the 2016–2017 waves to a parallel, more advanced wiper it named StoneDrill, concluding the two operations were aligned in interest though run by distinct actors. No individuals were ever charged.

Why it matters

Shamoon 2 confirmed that the 2012 Aramco attack was not a one-off but the opening of a sustained wiper campaign against the Gulf. It demonstrated that destructive malware could be re-weaponized years later, pre-timed to detonate en masse, and engineered to reach virtualized infrastructure — pushing Saudi Arabia to accelerate the creation of its National Cybersecurity Authority in 2017 and harden government endpoints across the kingdom.

Timeline

November 17, 2016

First Shamoon 2 wave triggers at 8:45 p.m. Saudi time, wiping systems at multiple Saudi government organizations including the General Authority of Civil Aviation.

November 29, 2016

Second wave activates at 1:30 a.m. Saudi time against a further Saudi organization, this time targeting Huawei virtual desktop infrastructure.

December 1, 2016

Reports surface that thousands of computers at GACA were destroyed; the agency confirms an attack but downplays operational impact.

January 23, 2017

A third Shamoon 2 wave strikes additional Saudi targets, including organizations in the petrochemical sector.

March 7, 2017

Kaspersky publishes its 'From Shamoon to StoneDrill' research linking the campaign to a parallel new wiper and to Iranian interests.

Sources

unit42.paloaltonetworks.comhttps://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/

money.cnn.comhttps://money.cnn.com/2016/12/01/technology/saudi-arabia-hack-shamoon/

securityweek.comhttps://www.securityweek.com/saudi-aviation-agency-downplays-impact-shamoon-attack/

helpnetsecurity.comhttps://www.helpnetsecurity.com/2016/12/05/disttrack-wiper-hits-saudi-arabia/

securelist.comhttps://securelist.com/from-shamoon-to-stonedrill/77725/

Related incidents

WiperContainedJuly 15, 2022

Albania HomeLand Justice destructive wiper (Iran MOIS, 2022)

Iran's Ministry of Intelligence and Security, operating as 'HomeLand Justice', spent 14 months dwelling in Albanian government networks before launching ransomware-style file encryption and disk-wiping malware. Albania suspended online public services and became the first country in history to sever diplomatic ties with another state over a cyberattack.

Victim: Government of Albania

WiperResolvedJanuary 13, 2022

WhisperGate wiper attack

On the eve of Russia's invasion, a destructive wiper disguised as ransomware corrupted master boot records and files across dozens of Ukrainian government, IT and non-profit organisations, defacing official websites and signalling the cyber dimension of the coming war.

Victim: Ukrainian government, IT and non-profit organisations

WiperunresolvedJuly 9, 2021

Iranian Railways 'MeteorExpress' wiper attack

A previously unseen wiper named Meteor crippled Iran's national railway network, wiping computers across stations, halting and delaying hundreds of trains, and defacing departure boards with a number for travelers to call: the office of Supreme Leader Khamenei.

Victim: Islamic Republic of Iran Railways (RAI) / Ministry of Roads and Urban Development

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B