A significant cyber incident recently impacted Iran’s transport ministry and national railway system, disrupting train services and operations. This event has been linked to a novel type of reusable wiper malware identified as “Meteor.” Researchers from the Iranian cybersecurity firm Amn Pardaz and SentinelOne have reported that this attack, named “MeteorExpress,” marks the first recorded instance of Meteor’s deployment, as it has no ties to any existing threat groups or other attacks.
On July 9, the Iranian train system faced severe disruptions due to the malware, with hackers utilizing electronic displays to direct passengers to lodge complaints with the office of Ayatollah Ali Khamenei. The incident reportedly resulted in significant chaos, leading to numerous train delays and cancellations. SentinelOne’s Principal Threat Researcher, Juan Andres Guerrero-Saade, emphasized that despite the absence of clear indicators of compromise, most attack components could still be recovered, revealing the characteristics of an unfamiliar adversary.
The attack exploited vulnerabilities in the Group Policy protocol to deploy a toolkit that included batch scripts capable of encrypting files, corrupting the master boot record, and incapacitating targeted systems. Other scripts deployed during the incident were designed to remove the infected devices from the network while creating exclusions in Windows Defender, a tactic increasingly used by cybercriminals to evade detection by security solutions.
Meteor has been described as an externally configurable wiper malware with extensive capabilities, including the deletion of shadow copies and other functionalities like password modification and process termination. Its design reflects a blend of custom code and open-source components, leading to a complex operational framework that indicates potential weaknesses in development coordination.
According to Guerrero-Saade, this incident highlights an evolving landscape of cyber threats where emerging actors are willing to deploy sophisticated wiper malware against critical public infrastructures. The attacker appears to be operating at an intermediate level, demonstrating a combination of both rudimentary and advanced tactics in their approach.
It is crucial to note that the adversaries demonstrated an understanding of the target environment, particularly the configuration of the domain controller and the backup systems in use, such as Veeam. This suggests a significant reconnaissance phase that occurred undetected, coupled with sophisticated espionage techniques that remain largely unexplored.
From a cybersecurity perspective, the tactics observed in this incident may involve various elements of the MITRE ATT&CK framework, particularly in the areas of initial access through Group Policy manipulation, establishing persistence via batch scripts, and privilege escalation through administrative controls. As businesses evaluate their cybersecurity posture, this event serves as a reminder of the importance of monitoring for anomalies within their systems and securing critical infrastructure against emerging threats.
