Footage of opposition leaders calling for the assassination of Iran’s Supreme Leader ran on several of the nation’s state-run TV channels in late January after a state-sponsored cyber-attack on Iranian state broadcaster IRIB.
The incident – one of a series of politically motivated attacks in Iran that have occurred in the last year – included the use of a wiper that potentially ties it to a previous high-profile attack on Iran’s national transportation networks in July, according to researchers from Check Point Research.
However, though the earlier attacks have been attributed to Iran state-sponsored actor Indra, researchers believe a copycat actor was behind the IRIB attack based on the malware and tools used in the attack, they said in a report published Friday.
“Among the tools used in the attack, we identified malware that takes screenshots of the victims’ screens, several custom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious executables,” researchers wrote in the report. “We could not find any evidence that these tools were used previously, or attribute them to a specific threat actor.”
The disruptive attack on IRIB occurred on Jan. 27, with attackers showing a savviness and knowledge of how to infiltrate systems that suggest it may also have been an inside job, researchers said.
The attack managed to bypass security systems and network segmentation, penetrate the broadcaster’s networks, and produce and run the malicious tools that relied on internal knowledge of the broadcasting software used by victims, “all while staying under the radar during the reconnaissance and initial intrusion stages,” they noted.
Indeed, nearly two weeks after the attack happened, new affiliated with opposition party MEK published a status report of the attack claiming that state-sponsored radio and TV networks still had not returned to normal, and that more than 600 servers, advanced digital production, archiving, and broadcasting of radio and television equipment have been destroyed, according to the report.
Spate of Attacks
Iran’s national infrastructure has been the victim of a wave of attacks aimed at causing serious disruption and damage. Two incidents that targeted national transportation infrastructure occurred in two subsequent days in July.
One was a rail-transportation incident – which disrupted rail service and also taunted Iran Supreme Leader Ayatollah Sayyid Ali Hosseini Khamenei via hacked public transit display screens. A day later, Iran’s Ministry of Roads and Urban Development also was hit with a cyber-attack that took down employees’ computer systems.
Then in October, an attack on Iran’s fuel-distribution network stranded drivers at fuel pumps across the country by disabling government-issued electronic cards providing subsidies that many Iranians use to purchase fuel at discounted prices.
Check Point researchers analyzed tools in the IRIB cyber-attack and compared them with those of Indra, the group believed to be responsible for the previous attacks in Iran’s infrastructure. Specifically, a novel wiper called Meteor – which not only wipes files but also can change users’ passwords, disable screensavers, terminate processes and disable recovery mode, among other nefarious features – was used in both the railway and roads attacks.
However, though a wiper was used against IRIB, it doesn’t appear to be the same one. Nor are the threat actors behind it likely the same, though a copycat situation may be at play, researchers concluded.
“Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks [that] happened in Iran,” they wrote in the report.
It’s still unclear who, exactly, the perpetrators of the IRIB attack are, however. While Iranian officials believe the Iranian opposition political party MEK is behind the attack, the group itself has denied involvement, researchers said.
Further, hacktivist group Predatory Sparrow, which claimed responsibility for the previous three infrastructure attacks, also affiliated itself with the IRIB attack via its Telegram channel. However, this is unlikely, as “no technical proof of the group’s attribution to the attack has been discovered,” according to Check Point.
What is known about the threat actor, however, is that due to the relative complexity of the attack itself, the group “may have many capabilities that have yet to be explored,” researchers noted.
At the same time, their reliance on IRIB insiders may have been the secret to the attackers’ success, as the tools they used are of “relatively low quality and sophistication, and are launched by clumsy and sometimes buggy 3-line batch scripts,” according to Check Point.
“This might support the theory that the attackers might have had help from inside the IRIB, or indicate a yet unknown collaboration between different groups with different skills,” researchers noted.
While researchers said they are still not sure how the attackers gained initial access to IRIB networks, they managed to retrieve and analyze malware related to the later stages of the attack that did three things: established backdoors and their persistence, launched the video or audio track playing the assassination message, and installed the wiper to disrupt operations in the hacked networks.
Attackers used four backdoor strategies in the attack: WinScreeny, HttpCallbackService, HttpService and ServerLaunch, a dropper launched with HttpService.
WinScreeny is a backdoor with the main purpose of capturing screenshots of the victim’s computer. HttpCallbackService is a remote-administration tool (RAT) that communicates with the command-and-control (C2) server every five seconds to receive commands to execute. HttpService is a backdoor that listens on a specified port and can execute commands, manipulate local files, download or upload files, or perform other malicious activities.
Finally, the ServerLaunch dropper – which starts both httpservice2 and httpservice4, each of which has a different predefined port to listen on – likely allows the attackers to ensure some sort of redundancy of the C2 communication, researchers wrote.
Hijacking the Video Stream
To interrupt the TV stream and play the opposition’s message, attackers used a program called SimplePlayout.exe, a .NET-based executable with a single functionality: to play a video file in a loop using the .NET MPlatform SDK by Medialooks.
To kill the video stream already playing so they could deploy their own, the attackers used a batch script called playjfalcfgcdq.bat, which killed the running process and deleted the executable of TFI Arista Playout Server, a software that the IRIB is known to use for broadcasting.
Attackers connected the dots with a script, layoutabcpxtveni.bat, that made the necessary connections to replace the IRIB video content with their own through a series of functions, including the launch of SimplePlayout.exe, researchers wrote.
In analyzing the wiper used in the attacks, researchers found “two identical .NET samples named msdskint.exe whose main purpose is to wipe the computer’s files, drives, and MBR,” they reported.
The malware also has the capability to clear Windows Event Logs, delete backups, kill processes and change users’ passwords, among other features.
To corrupt files, the wiper has three modes: default, which overwrites the first 200 bytes of each chunk of 1024 bytes with random values; light-wipe, which overwrite a number of chunks specified in the configuration; and full_purge, which does just that – overwrites the entire file content.