The cyberattack, which paralyzed a railroad in Iran earlier this month, was not carried out using ransomware, as previously thought, but a Meteor wiper that erases all data stored on the system.
According to Juan Andres Guerrero-Saade, senior researcher at the information security company SentinelOne, the incident with the Iranian railway is the first case of Meteor use, and experts have not yet been able to connect it with any known cybercriminal group.
According to an analysis by SentinelOne researchers, Meteor is one of three tools used in the attack on the Iranian railroad on July 9, codenamed MeteorExpress. During the attack, the following were used:
- Meteor malware that erases the file system of an infected computer;
- The mssetup.exe file that plays the role of a screen lock previously used by ransomware to block users from accessing the contents of their computers;
- The nti.exe file that overwrites the Master Boot Record (MBR) on the victim’s computer.
Guerrero-Saade did not elaborate on how or where the attack started but said that once inside the attacked network, the attackers used Group Policies to deploy malware, deleted shadow copies to prevent data recovery, and disconnected infected hosts from their local domain controller to system administrators were unable to take appropriate action immediately.
Upon completion of the attack, all data on the computer was deleted, and a notification appeared on the screen prompting the victim to call the administration of Iranian leader Ali Khamenei. Although the attack looks like a cruel joke on the Iranian government, the viper used in it is far from being a joke.
According to Guerrero-Saade, all the tools used in the attack are a “wild mix of custom code”, including open source components, ancient software and components written from scratch, “replete with health checks, error checking and redundancy in achieving their goals. goals “.
While some parts of the wiper appear to have been written by an experienced and professional developer, the disorganized nature of the MeteorExpress attack may indicate that both Meteor itself and the entire operation could have been performed in a hurry by multiple teams.
Catch up on more articles here
Follow us on Twitter here