Part of an On-Going Campaign – Latest Cyber-Attack Against Iran!

Part of an On-Going Campaign – Latest Cyber-Attack Against Iran!

Iran’s steel manufacturing industry is victim to ongoing cyber-attacks that previously impacted the country’s rail system.

Malware used in severe cyber-attacks against an Iranian steel plants last week is connected to an attack that shut down the country’s rail system in 2021. In both cases, on malware strain was used to affect physical & critical infrastructure, according to a report from Check Point Research.

The overlaps in the code, combined with clues & even recycled jokes, indicate that the same threat player, dubbed ‘Indra,’ is behind the attacks impacting Iran’s infrastructure.

Motives

On June 27, a steel billet production line at the Khuzestan Steel Corporation began to malfunction. According to reports, sparks flew sparking a fire in the middle of the plant.

In a statement, Khuzestan Steel’s CEO denied that any damage had been done.

“With timely action & vigilance the attack failed & no damage was done to the production line,” the company outlined in a statement.

Claimed Responsibility

A video posted to Twitter under the username @GonjeshkeDarand claimed responsibility for both attacks. The video purported to show footage from inside the steel factory. A message was included explaining the attackers’ motives:

“These companies are subject to international sanctions & continue their operations despite the restrictions. These cyber-attacks, being conducted carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.”

National Railway System

In 2021 on the morning of Fri., July 9 – Iran’s national railway system came under attack. On information boards at stations across the country, hackers posted messages about delays & cancellations that did not actually exist.

Those messages themselves caused delays, as confusion swept through the commuter crowds. Check Point attributed that disruption to Indra, a group that has been active since 2019.

Connecting This Week to 2021

In both the steel & railway attacks, the perpetrators posted a notice instructing victims & passengers to call a phone number. That number belongs to the office of the Ayatollah Khamenei, according to Check Point.

Check Point states it has overlaps between the malware used in both campaigns.

An executable (chaplin.exe) discovered in last week’s attack is a variant of malware identified as ‘Meteor,’ a wiper strain believed used in last year’s attack against Iran’s railway system. “It’s clear that both variants share a codebase,” according to researchers. The malware was separately called ‘Chaplin.’

Potent

Even without a wiper, the malware is potent. “It begins its execution by disconnecting the network adapters, logging off the user, & executing another binary in a new thread,” the researchers tweeted. The binary “forces the display to be ON and blocks the user from interacting with the computer.”

After completely blocking the victim from their own computer’s operation, Chaplin displays the hackers’ message onscreen & “deletes the “Lsa” registry key, preventing the system from booting correctly.”

The investigation into last Mon.’s attacks is still ongoing.

 

SHARE ARTICLE