The affected systems were located in the Middle East, where Saipem does a vast majority of its business, India, Italy, and Scotland.
Shamoon is shaping up to be one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images. The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company's activity for weeks.
Saipem is an Italian oil and gas company that specialises in drilling services and pipeline design, and is one of Saudi Aramco's main foreign contractors. This latest Shamoon incident took over the past weekend of December 8 and 9. The company publicly acknowledged the incident in a press release, calling it a cyber attack, but without providing any useful information.
On the same day, a never before seen version of the Shamoon malware was uploaded on VirusTotal from an IP address located in Italy, where Saipem's main headquarters are located, and other samples were uploaded the next day from an IP address in India, another region that Saipem also said was affected.
But while in the past Shamoon incidents attackers deleted and replaced files, a source inside the company told ZDNet that this time attackers chose to overwrite original files with garbage data.
The Shamoon infection didn't appear to do damage to Saipem's ability to do business. Only regular workstations and laptops connected to Saipem's business network were affected and the company's internal systems for controlling industrial equipment were not impacted.
Older versions of the Shamoon malware were also known to come hardcoded with a list of SMB (Server Message Block) credentials that the malware would use to spread throughout a network on its own.