Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Latest Cyberattack Against Iran Part of Ongoing Campaign

Iran’s steel manufacturing industry is victim to ongoing cyberattacks that previously impacted the country’s rail system.

Malware used in a crippling cyberattacks against an Iranian steel plants last week is connected to an attack that shut down the country’s rail system last year. In both cases, on malware strain was used to impact physical and critical infrastructure, according to a report from Check Point Research.

The overlaps in the code, combined with contextual clues and even recycled jokes, indicate that the same threat actor, dubbed Indra, is behind the attacks impacting Iran’s infrastructure.

Alleged Motives

On June 27, a steel billet production line at the Khuzestan Steel Corporation began to malfunction. According to reports, sparks flew sparking a fire in the heart of the plant.

In a statement to the press, Khuzestan Steel’s CEO denied that any damage had been done.

“With timely action and vigilance the attack failed and no damage was done to the production line,” the company said in a statement.

A video posted to Twitter under the username @GonjeshkeDarand claimed responsibility for the both attacks. The video purported to show footage from inside the steel factory. A message was included explaining the attackers’ motives:

“These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber attacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.”

Last year – on the morning of Friday, July 9 – Iran’s national railway system came under attack. On information boards at stations across the country, hackers posted messages about delays and cancellations that didn’t actually exist. (Those messages themselves caused delays, as confusion swept through the commuter crowds.) Check Point attributed that disruption to Indra, a group that’s been active since 2019.

Connecting This Week to Last Year

In both the steel and railway attacks, the perpetrators posted a notice instructing victims and passengers to call a certain phone number. That number belongs to the office of the Ayatollah Khamenei, according to Check Point.

Check Point claims it has overlaps between the malware used in both campaigns.

An executable (chaplin.exe) discovered in last week’s attack is a variant of malware identified as meteor, a wiper strain believed used in last year’s attack against Iran’s railway system. “It’s clear that both variants share a codebase,” according to researchers. The malware was dubbed separately as chaplin.

Even without a wiper, the malware is potent. “It begins its execution by disconnecting the network adapters, logging off the user, and executing another binary in a new thread,” the researchers tweeted. The binary “forces the display to be ON and blocks the user from interacting with the computer.” After completely blocking the victim from their own computer’s operation, Chaplin displays the hackers’ message onscreen and “deletes the “Lsa” registry key, preventing the system from booting correctly.”

The investigation into last Monday’s attacks is still ongoing.

Related News

Nearly 500 million WhatsApp User Records Sold Online

Nearly 500 million WhatsApp User Records Sold Online

In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp users’ mobile…
How to Create ISO Files from Discs – 3 Best Ways

How to Create ISO Files from Discs – 3 Best Ways

An ISO file is a disk image of an optical disc. It is a single file that contains all the…
All You Need to Know About Emotet in 2022

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it’s distributing malicious spam. Let’s dive…