Hackers used never-before-seen wiper in recent attack on Iranian train system
Researchers at cybersecurity company SentinelOne recently released a report detailing a recent cyberattack on Iran’s train system. The report identifies a new threat actor dubbed MeteorExpress and a previously unknown wiper. The attack was initially reported by local news outlets on July 9, stating that hackers were defacing display screens in train stations. The messages on the screens allegedly urged passengers to call ‘64411,’ which is the phone number of Iranian Supreme Leader Khamenei’s office. Train services were also disrupted as a result of the attack. The next day, the hackers took the operation one step further and took down the website of the country’s transport ministry.
Media outlets reported that the ministry’s portal and sub-portals were taken offline after the attack. SentinelOne found that the threat actors behind the attack used a wiper referred to as Meteor, claiming that the tool was developed within the past three years. Researchers stated that they were unable to find evidence linking the activity with a previously identified threat group. This, among other indications, led the researchers to believe that the malicious actors are unfamiliar.