On July 9, 2021, reports came flooding in that Iran’s Railway Authority had been the victim of a cyber attack, crippling operations of both passenger and cargo operations. A spokesperson for the Islamic Republic of Iran Railways initially denied reports of an attack, although there were examples of defacements and attacker statements in public view. As it turns out, this was a coordinated multi-stage attack against the Railway Authority that resulted in deploying destructive disk-wiping malware, not ransomware. The campaign was dubbed “MeteorExpress” and consisted of three stages. First, a malicious installer package using the filename “mssetup.msi” was deployed – this acted as a screen locker to lock the user out of the PC. Next, an executable program called “nti.exe” rewrote the master boot record of affected computers. Finally, a new disk-wiper malware called “Meteor,” which had not been previously observed by researchers, wiped data from the disks. Upon initial compromise the malware went straight to deleting shadow volumes and disconnecting the machines from their Domain Controller, preventing any emergency triage.
This attack was most likely the work of a threat group that was determined to maximize damage, without any apparent demands for money. Despite the coordination and skill apparent in the code, the threat group still made some mistakes that help researchers with analysis. The new Meteor disk-wiping malware appears to be based on a sample with debug features still attached, which makes thorough analysis faster. This attack highlights the need across all countries to reinforce security of critical infrastructure. Iran’s rail system covers over 6,000 miles and provides access to seven adjacent countries, so this attack that canceled trains severely impacted travel and commerce for the few days that the systems were down. It is important for critical infrastructure to have redundant backup systems and active monitoring for threat activity to stop attacks in the early stages. In this attack, the intruders must have gained access to administrator accounts and used them to deploy software and delete volume shadow copies. These are anomalous patterns that can be detected through endpoint monitoring. When threat activity is detected, it is important to respond quickly, with a Security Operations Center operating 24 hours a day. Binary Defense has years of experience working with critical infrastructure and providing threat hunting, SIEM and endpoint monitoring, and response services.