On July 9, 2021, reports came flooding in that Iran’s Railway Authority had been the victim of a cyber attack, crippling operations of both passenger and cargo operations. A spokesperson for the Islamic Republic of Iran Railways initially denied reports of an attack, although there were examples of defacements and attacker statements in public view. As it turns out, this was a coordinated multi-stage attack against the Railway Authority that resulted in deploying destructive disk-wiping malware, not ransomware. The campaign was dubbed “MeteorExpress” and consisted of three stages. First, a malicious installer package using the filename “mssetup.msi” was deployed – this acted as a screen locker to lock the user out of the PC. Next, an executable program called “nti.exe” rewrote the master boot record of affected computers. Finally, a new disk-wiper malware called “Meteor,” which had not been previously observed by researchers, wiped data from the disks. Upon initial compromise the malware went straight to deleting shadow volumes and disconnecting the machines from their Domain Controller, preventing any emergency triage.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is