Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Wiper Used in Attack on Iran National Media Network

An analysis of a January attack targeting Iran’s national media corporation has found the use of multiple malware families, including a data-wiper and custom backdoors.

An analysis of a January attack targeting Iran’s national media corporation has found the use of multiple malware families, including a data-wiper and custom backdoors.

The recent attack was part of a big wave of assaults on the Iranian critical infrastructure, which included a July 2021 attack on the national railway and cargo services and an October attack on the country’s gas stations network – both claimed by the hacking group ‘Predatory Sparrow’.

In August 2021, a hacktivist group released security camera footage depicting prisoner abuse within the Evin prison. On February 7, 2022, footage from the Ghezel Hesar prison was released to the public.

In a new report, security vendor Check Point notes that the attackers attempted to disrupt the broadcasting network by deploying data-wiping malware.

[ READ: Mysterious MeteorExpress Wiper Linked to Iran Train Cyberattack ]

Check Point said it was unable to establish the intrusion vector, but discovered that the attackers used a .NET-based executable to play a ‘malicious’ video file in a loop and employed a batch script to kill any processes associated with and delete the executable of TFI Arista Playout Server, the software that IRIB uses for broadcasting. Similar techniques were used to hijack a different TV stream and an audio stream.

Two identical .NET samples used in the attack were employed to completely erase the computer drives and MBR (master boot record). The malware can fully overwrite targeted files and can also delete backups, kill processes, clear Windows Event Logs, and change user passwords.

Advertisement. Scroll to continue reading.

Check Point identified three backdoors used in the attack: one designed to take screenshots – with a variant also capable of executing commands –, and two others designed to download/upload files, run commands in cmd, proxy connections, and to manipulate local files.

[ READ: Iran Hackers Using PowerShell Backdoor Linked to Memento Ransomware ]

Based on various artifacts within the analyzed samples, Check Point was able to connect the malicious tools to the same cluster of activity.

“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, which […] is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details […] suggest that the attackers behind the IRIB hack may have been inspired by previous attacks that happened in Iran,” Check Point said in its latest report.

Another possibility is that attackers had help from the inside, given that they used rather low-quality and unsophisticated tools, but were able to “pull off a complicated operation to bypass security systems and network segmentation.”

Check Point also notes that, while the exact damage caused by the attack is yet unknown, MEK-affiliated news suggested recently that more than 600 servers and broadcasting, production, and archive equipment might have been destroyed in the attack.

Related: Iran-Linked Hackers Attack Israeli Targets 

Related: US Takes Down Iran-linked News Sites, Alleges Disinformation

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...