The cyber-attack against Iran’s national railway system was caused by a wiper malware named Meteor and was not by a ransomware as initially thought.
Meteor was a previously undetected strain of malware and it has not been linked to any specific advanced persistent threat actors.
Iran’s railroad system was hit by a cyberattack on July 9 where the hackers published fake messages about delays or cancellations of the trains on display boards at stations across the country.
According to the SentinelOne researchers, the attackers tracked the wiper as ‘Meteor’, and has named the campaign MeteorExpress.
MeteorExpress attack chain begins with attackers abusing Group Policy to distribute a cab file to launch the attack.
The attacks involved the Meteor wiper, a file named mssetup.exe that was used as a screenlocker that locked the user out of their systems, and the nti.exe file used to corrupt the system’s master boot record (MBR).
Once the malware was distributed within the target network, it deleted shadow volume copies to prevent data recovery and removes the machine from the domain to avoid means of quick remediation of infected systems.
The malware wiped file system of the infected systems and displayed a message to instruct the victims to call a phone number that belonged to the office of Supreme Leader Ayatollah Ali Khamenei.
Experts believe that the malware is a sophisticated threat that includes multiple components that could be reused in future attacks with unpredictable consequences.
The researcher noted that while some parts of the malware appeared to have been written by experienced developers, it was coded in a disorganized manner. There was the presence of a feature redundancy between different components of the attack chain that suggests an uncoordinated division of responsibilities across teams that might have arranged the operation in a hurry.