Malware used in a crippling cyberattacks against an Iranian steel plants last week is connected to an attack that shut down the country’s rail system last year. In both cases, on malware strain was used to impact physical and critical infrastructure, according to a report from Check Point Research.
The overlaps in the code, combined with contextual clues and even recycled jokes, indicate that the same threat actor, dubbed Indra, is behind the attacks impacting Iran’s infrastructure.
On June 27, a steel billet production line at the Khuzestan Steel Corporation began to malfunction. According to reports, sparks flew sparking a fire in the heart of the plant.
In a statement to the press, Khuzestan Steel’s CEO denied that any damage had been done.
“With timely action and vigilance the attack failed and no damage was done to the production line,” the company said in a statement.
A video posted to Twitter under the username @GonjeshkeDarand claimed responsibility for the both attacks. The video purported to show footage from inside the steel factory. A message was included explaining the attackers’ motives:
“These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber attacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.”
Last year – on the morning of Friday, July 9 – Iran’s national railway system came under attack. On information boards at stations across the country, hackers posted messages about delays and cancellations that didn’t actually exist. (Those messages themselves caused delays, as confusion swept through the commuter crowds.) Check Point attributed that disruption to Indra, a group that’s been active since 2019.
Connecting This Week to Last Year
In both the steel and railway attacks, the perpetrators posted a notice instructing victims and passengers to call a certain phone number. That number belongs to the office of the Ayatollah Khamenei, according to Check Point.
Check Point claims it has overlaps between the malware used in both campaigns.
An executable (chaplin.exe) discovered in last week’s attack is a variant of malware identified as meteor, a wiper strain believed used in last year’s attack against Iran’s railway system. “It’s clear that both variants share a codebase,” according to researchers. The malware was dubbed separately as chaplin.
Even without a wiper, the malware is potent. “It begins its execution by disconnecting the network adapters, logging off the user, and executing another binary in a new thread,” the researchers tweeted. The binary “forces the display to be ON and blocks the user from interacting with the computer.” After completely blocking the victim from their own computer’s operation, Chaplin displays the hackers’ message onscreen and “deletes the “Lsa” registry key, preventing the system from booting correctly.”
The investigation into last Monday’s attacks is still ongoing.