Crippling attack on Iranian trains linked to Meteor file wiper malware

The Meteor file wiper malware is linked to a cyberattack that took place on July 9th, 2021 on the Iranian railway system and transport ministry.

The Meteor file wiper malware is linked to a cyberattack that took place on July 9th, 2021 on the Iranian railway system and transport ministry.

The IT security researchers at SentinelOne’s security have reported that a cyberattack that brought down Iran’s national railways earlier in July involved a new, reusable wiper malware known as Meteor.

According to Juan Andres Guerrero-Saade of SentinelOne, the wiper is designed to cripple the targeted systems leaving no option for remediation by recovering shadow copies or domain administration.

“Conflict in cyberspace is overpopulated with increasingly brazen threat actors. Behind the artistry of this epic troll lies an uncomfortable reality where a previously unknown threat actor is willing to leverage wiper malware against public railways systems,” Guerrero-Saade wrote.

About MeteorExpress

For your information, the Iranian railway system and transport ministry got hit by a cyberattack on July 9th, 2021. The agency’s websites went down, and the country’s train service was disrupted.

SEE: Hackers deface Airport screens in Iran with anti-govt messages

The campaign was dubbed MeteorExpress in which attackers defaced electronic displays, directing passenger complaints to Iranian Supreme Leader Ayatollah Ali Khamenei’s office phone number. Additionally, hundreds of trains were canceled or delayed, and unprecedented chaos was caused at stations.

Crippling attack on Iranian Railways linked to Meteor file wiper malware
Iran International (Twitter)

The attackers posted on the railways’ message boards that trains were delayed because of an ongoing cyberattack.

“Despite a lack of specific indicators of compromise, we were able to recover most of the attack components. Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker,” Guerrero-Saade, noted.

“The attacker is an intermediate level player whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed,” he added.

What is a Wiper Malware?

A wiper malware is basically a file wiper. It deletes all files on a computer and causes it to become unbootable. It is also used to divert the admin’s attention while launching another taking place.

Wiper malware attacks are far more destructive than ransomware as these aren’t intended to generate revenue for the threat actors but cause havoc and disrupt an organization’s operations.

Iran International (Twitter)
MeteorExpress Attack Chain (Image: SentinelLabs)

This is the first such incident where the Meteor file wiper malware was deployed, but it is believed that it has been under development for the past three years. It is a highly configurable wiper with an extensive range of features, from deleting shadow copies to changing user passwords, disabling recovery mode, terminating arbitrary processes, and executing malicious commands.

SEE: Iranian hackers hit Israel with disk wiper in disguise of ransomware

The Iranian cybersecurity firm Aman Pradaz had analyzed this wiper earlier, but SentinelOne identified some new components that offered a clearer picture of Meteor’s malicious activities.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts