StoneDrill wiper attacks on Saudi organizations
Kaspersky uncovered StoneDrill, a sophisticated new wiper that destroyed data at Saudi petrochemical and industrial targets alongside the Shamoon 2 campaign, and which had spread as far as a victim in Europe.
- Victim
- Saudi petrochemical and industrial organizations
While investigating the Shamoon 2 wiper campaign against Saudi Arabia in early 2017, Kaspersky Lab's GReAT team stumbled upon a second, previously unknown destructive malware on a Saudi network. They named it StoneDrill — a more sophisticated wiper that was attacking petrochemical and industrial organizations during the same window, and which had already reached at least one victim in Europe.
What happened
StoneDrill and Shamoon 2 were used against Saudi targets in the same October–November 2016 timeframe and into 2017, but they were technically distinct. Where Shamoon relied on a signed third-party driver to gain raw disk access, StoneDrill executed entirely in memory, injecting its wiping module into the victim's preferred browser process to evade detection. It also carried elaborate anti-emulation and anti-sandbox techniques, marking it as a notably more advanced tool.
Kaspersky's "From Shamoon to StoneDrill" research, published on 7 March 2017, concluded that the two wipers were aligned in interest but operated by separate actors. Intriguingly, older StoneDrill samples from 2014 shared base code with the NewsBeef group — also tracked as Charming Kitten — an Iranian-linked espionage actor, suggesting a common heritage.
Impact
- Multiple Saudi petrochemical and industrial organizations had systems wiped, with data destroyed and machines rendered unbootable, mirroring the Shamoon destruction model.
- The discovery of a StoneDrill victim in Europe signalled the campaign's operators were expanding their wiping operations beyond the Gulf, a significant escalation in geographic scope.
- As a purely destructive operation, StoneDrill caused recovery costs and downtime rather than data theft or ransom.
Attribution
No government issued a formal indictment, but the code overlaps with Charming Kitten and the parallel timing with Shamoon 2 pointed researchers toward Iranian-aligned actors. The relationship between the Shamoon and StoneDrill operators remained ambiguous — distinct teams pursuing a shared agenda of disruption against Saudi and Gulf interests.
Why it matters
StoneDrill proved that the wave of destructive attacks hammering Saudi Arabia in 2016–2017 was not a single tool but an ecosystem of wipers, some far stealthier than Shamoon. Its memory-only execution and anti-analysis sophistication raised the bar for endpoint detection in the region, and its European victim was an early warning that Gulf-focused wiper campaigns could metastasize globally — a pattern later echoed by NotPetya and the Shamoon 3 attack on Saipem in 2018.
Timeline
StoneDrill and Shamoon 2 samples begin appearing against Saudi organizations during the same October–November window.
The first Shamoon 2 wave detonates; while investigating, Kaspersky finds an unrelated, more advanced wiper on a Saudi network.
A further Shamoon 2 wave hits Saudi petrochemical targets, deepening the destructive campaign against industrial firms.
Kaspersky publicly discloses StoneDrill, detailing memory-only execution, anti-emulation tricks and a victim found in Europe.
Researchers link old StoneDrill samples to base code shared with the NewsBeef / Charming Kitten group, pointing to Iranian alignment.
Sources
- securelist.comhttps://securelist.com/from-shamoon-to-stonedrill/77725/
- usa.kaspersky.comhttps://usa.kaspersky.com/about/press-releases/from-shamoon-to-stonedrill-advanced-new-destructive-malware-discovered-in-the-wild-by-kaspersky-lab
- securityweek.comhttps://www.securityweek.com/shamoon-2-variant-targets-virtualization-products/
- kaspersky.comhttps://www.kaspersky.com/blog/shamoon-stonedrill/15170/