virus logo Threat Signal Report

Attack on the Iranian train system by Meteor Wiper

Description

FortiGuard Labs is aware of multiple reports that the Iranian train system was attacked using a previously unknown wiper malware and unidentified threat actor on July 9th, 2021, which left the Iranian railway service inoperable. Reportedly on the same day, schedule display screens in train stations were defaced with a message asking passengers to call '64411', which belongs to the Iranian Supreme Leader's office. Another report suggests that the website of Iran's transport ministry was taken down due to cyber attack on the Ministry of Roads and Urban Development.


When Did the Attack Occur?

The attack occurred on July 9th, 2021.


What is the Name of this Attack Campaign and Associated Malware?

The attack campaign and the malware are named "MeteorExpress" and "Meteor," respectively, by security vendor, SentinelOne.


What are the Technical Details of this Attack?

Details are not available as to how the Iranian train system was initially accessed. According to SentinelOne, the tool that was used for this campaign consists of "a combination of batch files orchestrating different components dropped from RAR archives". The destructive components of the malware are split into three parts: Meteor is responsible for wiping the filesystem, mssetup.exe locks the system, and another executable "nti.exe" presumably corrupts the MBR of the compromised system. Unfortunately, a sample of "nti.exe" has not been recovered to confirm its MBR corruption feature.


How Widespread is this Attack?

The attack is limited to Iran.


Does Meteor Perform any Activities Other than Wiping?

SentinelOne reported that Meteor deletes shadow copies and removes the machine from the domain in order to make file recovery difficult. Also Meteor has the following features, however they were reportedly not used in this attack:

  • Changes passwords for all users
  • Disables screensavers
  • Processes termination based on a list of target processes
  • Installs a screen locker
  • Disables recovery mode
  • Changes boot policy error handling
  • Creates scheduled tasks
  • Logs off local sessions
  • Changes lock screen images depending on different Windows versions
  • Creates processes and executing commands

Were any Vulnerabilities Exploited in the Attack?

We have not been able to confirm that any vulnerabilities were exploited as part of the attack as details are not available on how the Iranian train system was intruded.


Is the Attack Associated with Any Known Threat Actors?

Unconfirmed at this point. FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.


How Serious of an Issue is This?

Medium. This is due to the fact that the transportation system in Iran became inoperable, however the attack campaign is limited to Iran and has not been observed else where.


What is the Status of Coverage?

FortiGuard Labs has the following AV coverage in place against the attack:

  • W32/Agent.FBE3!tr
  • W32/Agent.5522!tr
  • BAT/Agent.B735!tr
  • BAT/Agent.691E!tr
  • BAT/Agent.B30F!tr
  • BAT/Agent.E00F!tr
  • BAT/Zapchast.ER!tr

Appendix

MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll (SentinelOne)

Hackers breach Iran rail network, disrupt service (Reuters)


ID 35
Date Jul 30, 2021
Threat/
Vulnerability		 Wiper
FortiGate Device Triggered N/A
Threat Actor Type Unknown
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services