Cyberattack on Iranian National Media Uncovered: Wiper Malware Deployed
In late January 2022, a sophisticated cyberattack against the Islamic Republic of Iran Broadcasting (IRIB), a key player in the country’s national media landscape, was confirmed to involve the deployment of wiper malware alongside tailored malicious implants. This incident underscores the ongoing wave of cyber threats faced by Iran, which has been the target of numerous attacks aimed at causing significant disruption to its infrastructure.
According to a report by the cybersecurity firm Check Point, the ramifications of the attack appear to be far-reaching, potentially affecting state broadcasting networks more severely than initially acknowledged. The investigation revealed that the attackers sought not only to disrupt operations but also to exploit vulnerabilities in IRIB’s broadcasting capabilities.
The assault, which lasted a mere 10 seconds on January 27, was marked by a striking incident where the compromised IRIB network aired footage of leaders from the Mujahedin-e-Khalq Organization (MKO) alongside a call for violence against the Supreme Leader, Ayatollah Ali Khamenei. This brazen maneuver illustrates the attackers’ intent to create chaos and provoke a response from Iranian authorities.
Deputy IRIB chief Ali Dadi remarked on the complexity of the attack, suggesting that only those with intimate knowledge of the broadcasting systems could have executed it. During the breach, attackers implemented various types of malware capable of capturing screenshots, deploying backdoors, and executing batch scripts to facilitate the attack and install harmful executables.
Check Point’s analysis highlights that while traces of backdoors, batch scripts, and configuration files were found, it currently remains unclear how the attackers first infiltrated the network. The investigation uncovered several indicators of compromise, including tools designed to maintain persistence and disrupt operational integrity through the installation of wiper malware.
The attack methodology included interrupting video streams by leveraging batch scripts to delete essential broadcasting software and replay a malicious video file. Notably, the wiper malware’s primary function was to corrupt stored files, erase the master boot record, clear event logs, delete backups, and modify user credentials.
Among the tactics employed were various methods from the MITRE ATT&CK framework, such as initial access via exploited vulnerabilities in software, persistence through established backdoors, and execution capabilities facilitated by batch scripts. These methods point towards a coordinated effort to maintain control and exploit vulnerabilities within the broadcasting network’s architecture.
The intrusion began a troubling chapter for Iran’s cybersecurity landscape, showcasing both the adversaries’ capacity to bypass security measures and the possible insider knowledge that could have aided them. Ongoing investigations remain vital for understanding the full extent of the incident and improving defenses against future cyber threats.
As cyberattacks continue to evolve in complexity, the need for robust cybersecurity measures becomes increasingly pressing for organizations across the globe. Business owners should remain vigilant to similar tactics and adapt their defenses accordingly to protect their operations and sensitive data from potential compromises.
