Cyber Incident Victim: Bahrain Petroleum Company
Date:
Dec 2019
Location:
Bahrain
Summary
A state-sponsored Iranian cyberattack deployed the Dustman data-wiping malware against Bahrain's national oil company, exploiting a VPN vulnerability to gain initial access before escalating privileges through domain controllers and distributing the malware across the network. The attack, motivated by geopolitical tensions and the victim's association with Saudi Aramco, caused limited disruption—partially deleting data and triggering system crashes—due to its hasty execution and lack of thorough testing. Antivirus detection the following day enabled containment, preventing widespread damage. The malware represented an evolution of earlier Iranian wipers like ZeroCleare, leveraging EldoS RawDisk for destructive actions, though security analysts could not definitively attribute it to a specific Iranian threat group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On December 29, 2019, Iranian state-sponsored hackers deployed Dustman, a new data-wiping malware variant, against Bahrain Petroleum Company (Bapco). The attackers exploited a VPN vulnerability to gain initial access to Bapco's network, then escalated privileges through domain controllers to distribute the malware across systems. Dustman, an evolution of the earlier ZeroCleare wiper, utilized EldoS RawDisk driver functionality to overwrite and delete data irrecoverably. The malware's deployment coincided with heightened geopolitical tensions following a U.S. drone strike that killed Iranian General Qasem Soleimani. Security analysts attributed the targeting of Bapco to Bahrain's strategic alliance with Saudi Arabia—particularly Bapco's operational ties to Saudi Aramco—and ongoing political strains between Bahrain and Iran. While the attackers intended widespread destruction, the operation's hasty execution limited its effectiveness; malware samples exhibited incomplete testing and triggered Blue Screen of Death errors on some systems rather than completing full data erasure.
Bapco's security team detected the intrusion on December 30 when antivirus software identified the malicious payload, one day after initial compromise. The company contained the incident before Dustman could propagate through its entire computer fleet, resulting in only partial network impact. Saudi Arabia's National Cybersecurity Authority subsequently issued alerts to regional energy sector organizations regarding the new threat. Cybersecurity researchers observed Dustman samples uploaded to public analysis platforms VirusTotal and Hybrid-Analysis, enabling technical examination of its wiper mechanisms. Despite Iran's documented history of deploying similar destructive malware like Shamoon against energy targets, investigators could not conclusively link this attack to a specific Iranian threat group. The incident caused temporary operational disruptions but did not achieve the attackers' apparent objective of comprehensive data destruction due to both defensive actions and the malware's technical shortcomings.