This attack was most likely the work of a threat group that was determined to maximize damage, without any apparent demands for money. Despite the coordination and skill apparent in the code, the threat group still made some mistakes that help researchers with analysis. The new Meteor disk-wiping malware appears to be based on a sample with debug features still attached, which makes thorough analysis faster. This attack highlights the need across all countries to reinforce security of critical infrastructure. Iran’s rail system covers over 6,000 miles and provides access to seven adjacent countries, so this attack that canceled trains severely impacted travel and commerce for the few days that the systems were down. It is important for critical infrastructure to have redundant backup systems and active monitoring for threat activity to stop attacks in the early stages. In this attack, the intruders must have gained access to administrator accounts and used them to deploy software and delete volume shadow copies. These are anomalous patterns that can be detected through endpoint monitoring. When threat activity is detected, it is important to respond quickly, with a Security Operations Center operating 24 hours a day. Binary Defense has years of experience working with critical infrastructure and providing threat hunting, SIEM and endpoint monitoring, and response services.

https://therecord.media/cyber-attack-on-iranian-railway-was-a-wiper-incident-not-ransomware/