Threat Signal Report

Attack on the Iranian train system by Meteor Wiper

Description

FortiGuard Labs is aware of multiple reports that the Iranian train system was attacked using a previously unknown wiper malware and unidentified threat actor on July 9th, 2021, which left the Iranian railway service inoperable. Reportedly on the same day, schedule display screens in train stations were defaced with a message asking passengers to call '64411', which belongs to the Iranian Supreme Leader's office. Another report suggests that the website of Iran's transport ministry was taken down due to cyber attack on the Ministry of Roads and Urban Development.


When Did the Attack Occur?

The attack occurred on July 9th, 2021.


What is the Name of this Attack Campaign and Associated Malware?

The attack campaign and the malware are named "MeteorExpress" and "Meteor," respectively, by security vendor, SentinelOne.


What are the Technical Details of this Attack?

Details are not available as to how the Iranian train system was initially accessed. According to SentinelOne, the tool that was used for this campaign consists of "a combination of batch files orchestrating different components dropped from RAR archives". The destructive components of the malware are split into three parts: Meteor is responsible for wiping the filesystem, mssetup.exe locks the system, and another executable "nti.exe" presumably corrupts the MBR of the compromised system. Unfortunately, a sample of "nti.exe" has not been recovered to confirm its MBR corruption feature.


How Widespread is this Attack?

The attack is limited to Iran.


Does Meteor Perform any Activities Other than Wiping?

SentinelOne reported that Meteor deletes shadow copies and removes the machine from the domain in order to make file recovery difficult. Also Meteor has the following features, however they were reportedly not used in this attack:

  • Changes passwords for all users
  • Disables screensavers
  • Processes termination based on a list of target processes
  • Installs a screen locker
  • Disables recovery mode
  • Changes boot policy error handling
  • Creates scheduled tasks
  • Logs off local sessions
  • Changes lock screen images depending on different Windows versions
  • Creates processes and executing commands

Were any Vulnerabilities Exploited in the Attack?

We have not been able to confirm that any vulnerabilities were exploited as part of the attack as details are not available on how the Iranian train system was intruded.


Is the Attack Associated with Any Known Threat Actors?

Unconfirmed at this point. FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.


How Serious of an Issue is This?

Medium. This is due to the fact that the transportation system in Iran became inoperable, however the attack campaign is limited to Iran and has not been observed else where.


What is the Status of Coverage?

FortiGuard Labs has the following AV coverage in place against the attack:

  • W32/Agent.FBE3!tr
  • W32/Agent.5522!tr
  • BAT/Agent.B735!tr
  • BAT/Agent.691E!tr
  • BAT/Agent.B30F!tr
  • BAT/Agent.E00F!tr
  • BAT/Zapchast.ER!tr


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.