An analysis of a January attack targeting Iran’s national media corporation has found the use of multiple malware families, including a data-wiper and custom backdoors.
The recent attack was part of a big wave of assaults on the Iranian critical infrastructure, which included a July 2021 attack on the national railway and cargo services and an October attack on the country’s gas stations network – both claimed by the hacking group ‘Predatory Sparrow’.
In August 2021, a hacktivist group released security camera footage depicting prisoner abuse within the Evin prison. On February 7, 2022, footage from the Ghezel Hesar prison was released to the public.
In a new report, security vendor Check Point notes that the attackers attempted to disrupt the broadcasting network by deploying data-wiping malware.
Check Point said it was unable to establish the intrusion vector, but discovered that the attackers used a .NET-based executable to play a ‘malicious’ video file in a loop and employed a batch script to kill any processes associated with and delete the executable of TFI Arista Playout Server, the software that IRIB uses for broadcasting. Similar techniques were used to hijack a different TV stream and an audio stream.
Two identical .NET samples used in the attack were employed to completely erase the computer drives and MBR (master boot record). The malware can fully overwrite targeted files and can also delete backups, kill processes, clear Windows Event Logs, and change user passwords.
Check Point identified three backdoors used in the attack: one designed to take screenshots – with a variant also capable of executing commands –, and two others designed to download/upload files, run commands in cmd, proxy connections, and to manipulate local files.
Based on various artifacts within the analyzed samples, Check Point was able to connect the malicious tools to the same cluster of activity.
“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, which […] is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details […] suggest that the attackers behind the IRIB hack may have been inspired by previous attacks that happened in Iran,” Check Point said in its latest report.
Another possibility is that attackers had help from the inside, given that they used rather low-quality and unsophisticated tools, but were able to “pull off a complicated operation to bypass security systems and network segmentation.”
Check Point also notes that, while the exact damage caused by the attack is yet unknown, MEK-affiliated news suggested recently that more than 600 servers and broadcasting, production, and archive equipment might have been destroyed in the attack.