Recent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were launched by attackers conducting a much wider campaign in the Middle East. While the attackers have compromised multiple targets in the region, only selected targets in Saudi Arabia were infected with Shamoon.
On February 15, publications from IBM (The Full Shamoon) and Palo Alto (Magic Hound) separately discussed a persistent attack campaign operating primarily in the Middle East with links to Shamoon. This campaign was conducted by a group we identify as Timberworm. The group appears to have facilitated the third wave of destructive attacks involving Shamoon in January 2017. Timberworm operates in the Middle East and beyond. Only specific organizations affiliated with Saudi Arabia appear to have been earmarked for destructive wiping attacks.