Massive Cyberattack Led to Khaos in Iranian Train System

A recent massive cyberattack involving wiper malware Meteor was successful in destroying Iran’s national rail infrastructure as well as the ministry of transportation’s website, resulting in significant train service interruptions throughout the country, according to The Hacker News.

On July 9, the Iranian train system was rendered obsolete as a result of a massive attack with passengers advised to register complaints with Ayatollah Ali Khamenei, whose phone number was displayed. Needless to say that the incident has caused extreme chaos at train terminals, resulting in the cancellation or delay of hundreds of trains.

According to experts of Iranian antivirus company SentinelOne and Amn Pardaz, the campaign dubbed MeteorExpress wasn’t tied to any previously detected threat groups or attacks. Although Meteor is thought to have been at work in the last three years, this is basically the occurrence involving its deployment.

According to Juan Andres Guerrero-Saade, Principal Threat Researcher at SentinelOne, even though the company’s security specialists could not notice any clear indicators of compromise, they were able to retrieve the majority of the attack components. In short, they were able to track down the digital fingerprints of an unknown attacker. The bad news is that the attacks are designed to destroy the targeted systems, leaving little options for recovery via shadow copy or domain management.

Train delays and cancellations followed the attack

According to SentinelOne, the infection is exploiting Group Policy to distribute an instrument package that is comprised of batch files orchestrated by various components. The files are extracted from multiple RAR archives and chained together to facilitate file system encryption, Master Boot Record (MBR) corruption, and system locking. Furthermore, researchers uncovered batch script files designed to disconnect infected devices from the same network and then generate Windows Defender exclusions for all components.

Meteor seems to be an externally configurable wiper capable of running malicious code, terminating arbitrary applications, changing user passwords, and deactivating recovery mode. The wiper includes sanity checks, error checking, and redundancy in attaining its goals. All of these characteristics indicate a fragmented approach and a lack of collaboration among the development teams.

Guerrero-Saade ended by saying “We should keep in mind that the attackers were already familiar with the general setup of their target, features of the domain controller, and the target’s choice of backup system (Veeam). That implies a reconnaissance phase that flew entirely under the radar and a wealth of espionage tooling that we’ve yet to uncover.”