How the Meteor Express Attack Derailed Iran's Train System - ThreatWire CrossPost
Added 2021-08-03 17:49:49 +0000 UTCBy Shannon Morse, ThreatWire
In early July, we learned that Iran’s transport ministry and national train system were hit with a cyberattack which cause train service disruptions and the agency website to be shut down while message boards that usually displayed data about trains were hacked, with the malicious actors showing messages that said trains were delayed or cancelled altogether due to the attack. A phone number for the office of the Supreme Leader Ali Khamenei was also included on some of these boards. Electronic tracking of trains all across Iran failed as well during this time. Attackers locked connected Windows devices on the railway networks on a lock screen as well.
This attack, which happened on July 9, was analyzed by Aman Pardaz, an Iranian cybersecurity firm, and SentinelOne found further information to give the public a better idea of what happened.
A security researcher with SentinelOne publicized a report showing that the attack, called Meteor Express, used new malware called Meteor. Meteor is a file wiper, a kind of malware used to delete files so systems are not bootable. Meteor can wipe a system, lock the Master Boot Record, and install screen lockers. It’s quite destructive and they aren’t used for ransom profits. Malicious actors who use file wipers are in it for the lulz or to cause stress and dumpster fires for the companies targeted. They can also be used as a distraction technique for additional campaigns.
SentinelOne explains that a RAR archive, protected with a password, is extracted by the attacker, and the associated files are added to a network share that’s accessible to the railway network. Windows group policies are reconfigured so the attacker can launch a setup.bat batch file, which copies executables and other batch files to the local devices then runs or executes them to check for antivirus and terminate the attack if Kaspersky AV is flagged, disconnect the device, add Windows Defender exclusions for the malware, clear event logs, delete a diagnostics task, flush the filesystem cache to disk, and launch the wiper and lockers. All of this makes the infected device unbootable and wiped of it’s files.
Interestingly, SentinelOne points out that Meteor attacks the SAME sectors as NotPetya, but this was also used in the original Petya campaigns and was widely used. So we don’t know at this time who is behind the railway attacks or if the motive was just to cause chaos. The researchers included indication rules for fellow security researchers in the event that this new malware is more widely used.
Support ThreatWire! https://www.patreon.com/threatwire
https://www.swisslog-healthcare.com/en-us/company/news/2021/07/translogic-firmware-vulnerabilities
https://thehackernews.com/2021/07/a-new-wiper-malware-was-behind-recent.html
https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/
