Security News > 2021 > July > A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System
A cyber attack that derailed websites of Iran's transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called "Meteor."
The campaign - dubbed "MeteorExpress" - has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm Amn Pardaz and SentinelOne.
"Despite a lack of specific indicators of compromise, we were able to recover most of the attack components," SentinelOne's Principal Threat Researcher, Juan Andres Guerrero-Saade, noted.
On July 9, the Iranian train system was left paralyzed in the wake of a major attack, with the hackers defacing electronic displays to instruct passengers to direct their complaints to the phone number of the Iranian Supreme Leader Ayatollah Ali Khamenei's office.
Now according to SentinelOne, the infection chain commenced with the abuse of Group Policy to deploy a toolkit that consisted of a combination of batch files orchestrating different components, which are extracted from multiple RAR archives and are chained together to facilitate the encryption of the filesystem, corruption of the master boot record, and locking of the system in question.
"Conflict in cyberspace is overpopulated with increasingly brazen threat actors. Behind the artistry of this epic troll lies an uncomfortable reality where a previously unknown threat actor is willing to leverage wiper malware against public railways systems," Guerrero-Saade said.