Rage Against the Regime: Attacking National Infrastructure in Iran by Sam Handelman and Israel Gubi

[Music] [Applause] [Music] [Applause] hi hello and everyone you for attending our talk about the attacks against national infrastructure in iran in the last year my name is israel i'm working at checkpoint and i will be giving this talk along with my colleagues sam is also works at checkpoint and we are both part of the checkpoint research [Music] in the last year many cyber attacks were performed against iranian entities and many dissident groups took responsibility for the different attacks and we researched some of those attacks and today we are going to talk about some of them the first attack happened last july whatever seemed as another regular day in iran turned upside down the screens in the national railway stations started to indicate delays and cancellations and behind the scenes what happened is that the system that are responsible for locating where are the trains totally collapsed on the screens in the national railway station a message was displayed saying long delays due to cyber attacks more information 64411 and the quick search showed us that the attackers had some sense of humor as this number belongs to no other but to the supreme leader of iran ali khamenei the next day another attack has happened now against the ministry of roads and urban developments an iranian social media profile posted a picture of one of the victims showing a message of the attackers taking responsibility for both this attack and attack the and the attack the day before oven okay so we started to uh to check if there are any leads for uh for the attack and fortunately for us a padfish this is an iranian antivirus a posted a report and sharing some light about what happened in the attacks and padfish probably adds some access to the malware files as they are the main endpoint solution for iranian entities and even though there were no iocs in the report there were other information that we could have used like file names code snippets the execution flow and we used this data in order to find files and we found dozens of files all uploaded to aristotle from iran and even though we couldn't find all the files from the report we found we we managed to recover most of the execution flow and the execution flow was assembled from a lot of script files and pe tools that performed several actions such as disconnecting the computer from the network and disabling anti-viruses and in general it had too many script files uh in my opinion and it was a little bit weird uh execution flow also with another interesting thing is that we found a path in internal internal object names related to iranian railways in the scripts what showed us that the attackers had some of prime knowledge of the environment of the victims and it also assured us that we are looking at the right files the attack ends with a unleashing the payload that is eternally named meteor and it's responsible for locking the systems and wiping the victim's computer and meteor works only if it has some configuration file in order to operate correctly and the fields in the configuration file are pretty much straightforward like path to wipe or processes to kill and meteor supports more than 20 configuration fields but it only uses 10 of them what message what might suggest that maybe this tool was not created specifically for this attack also it gave the attackers some kind of flexibility in the execution of the payload and the opportunity to to tailor every attack for every victim and in fact the configuration that we found in the configuration from the padfish report was a little bit different in one of the fields which showed us that the attackers really used different configurations for different victims and the wiper starts with writing meteor as started to a log file and this is where the name of the malware came from and in general we want to thank meteor writers for adding a lot of debug strings in it what made our life much easier to analyze and in terms of functionality meteor is pretty standard wiper it corrupts the computer boot configuration changes passwords it locks the system and wiping files but not before it changes the picture the wallpaper the desktop wallpaper and the lock screen image to the following one and after translating what is written here we got long delays due to cyber attacks for more information six four four one one and if it looks familiar to you this is because this is the exact message that was shown on the platform boards in the actual attack so after analyzing a this attack we try to find if this tool was ever used in other attacks as well and we found a in virustotal three different uh submitters submits that we found files submitted from three different uh incidents three different submitters all of them located in syria in those files we found other versions of the same wiper named internally comet and stardust and by the same debug string that we found in meteor and we also found the configuration that status used and it led us to the victims of those attacks named katherine group and alfata petrillium both of them companies located in syria and we also found the image that was replacing the desktop wallpaper and this image starts with an introduction i am indra god of war and it also gives an explanation for the attack saying that this is because a category group has connections to the kutz force so we started to to search uh if there were other attacks on this these groups if they're any information and what we found is a tweet by an account named surprisingly indra taking responsibility for those exact attacks and crawling through indira's tweets we found other attacks that they took responsibility for a leaked data from those attacks and many political messages against iranian regime and its affiliates mostly hezbollah and india took responsibility for several attacks and most of them co matched our our data the first attack was against a company named alfadex it's this is a syrian company for exchanging money and it's suspected to have a connection to several several terrorist groups and in this attack the first version of the wiper was used named comet after that they took responsibility for attack against a company named sham wings but we don't have any technical evidence except the tweets by indira and the data they leaked also there are the attacks against al-qaeda petroleum and category group that they used a the second version of the wiper named stardust and they they accused them of having ties to the good sports and in november 2020 they took response they threatened to attack bania's oil refinery but we don't know if this attack really happened and since then indra stopped tweeting and we didn't see any operation by them until the attacks against the iranian railways and there are several connections between the attacks in syria and the attacks on the iran wealth stations and the ministry first is the execution flow that is assembled from a lot of bash scripts for no clear and there are a lot of scripts that made the same functionality and also the attack announcements in both of the attacks what is not working okay in both of the attacks the vic the attackers didn't try to stay silent but they posted a picture to the victims and taking responsibility and also the main connection is the payload all of the attacks use the same payload the same wiper but different versions of it and we don't have any indication that this this tool was ever used by any other group also commenting status add the name indra in it what makes the correlation the connection between those tools and indra even stronger we still need to remember that indira didn't take responsibility for the attack on irrelevant ways it can be for several reasons but still we believe that those attacks were performed by the same group groups the same group for the reason that we stated before now i will let sam to elaborate about another attack against iranian infrastructure that happened earlier this year [Music] okay let's fast forward half a year when another large attack was carried out against iranian infrastructure but this time it was on tv literally on january 27 2022 a bunch of tv channels owned by the islamic republic of iran broadcasting or the irib were hijacked by attackers and being state-sponsored tv and radio broadcasters in iran the irib is completely controlled by the government when the attackers disrupted the broadcast they played a video they played a video showing the leaders of the mek a major dissident group in iran while showing these images the the video also called for the assassination of the supreme leader ali khamenei whose face you could see here with the red x while showing these images the video also oh excuse me in addition officials respo reported other attacks on state-operated radio stations but never specified which now we began our search on virustotal searching for anything we could possibly find related to the attack well we started finding files right away thank you virustotal submitters and then we kept finding more and more and more and more and more and more and more and more and more and more files now among these files we found included batch scripts to execute uh payloads audio and video files forensics artifacts dot net executables uh and other things as well we found there was no there were several notable commonalities among these files including tampered compilation timestamps similar pdb paths shared vt submitters is reuse of code as well as reuse of code and similar coding styles but even after going through all these files we still didn't have an infection chain since the files that we found were related to later stages of the attack this might mean that there was an insider threat which would suggest that maybe there was no fishing or exploit used to start the attack now let's talk about how they replace the the video on the tv we discovered two important files related to the tv hijacking the first is the mp4 file this is the file that can that was displayed on tv during the attack we also found a file called simpleplayout.exe which replaced uh which interrupted the broadcast to play the attacker's video instead we also uh the attackers also wrote a batch script to kill and uninstall software related to the current broadcast to ensure uh that the video would play and they replaced the broadcast service with their own executable we also discovered files related to the radio hijacking specifically we found a wav file whose audio was very similar to that of the mp4 file we found we also found a program called avar.exe which plays the wav file that we found and after killing a different process on the system called ava.exe now can you hear me okay uh so ava.exe this is just the ava.exe is probably used to broadcast on the radio since they killed it and replaced it with their own binary and interestingly the name ava suggests the attack was probably intended for irib's ava radio station but this was never publicly confirmed now surprisingly this wasn't all about just hijacking tv and radio in fact when we took a closer look we saw that there was a destructive operation in play here specifically we found a wiper that was used to destroy files in irib's networks the wiper achieves its goals by destroying computer files drives and master boot records but the wiper is also able the wiper is also able to clear event logs delete backups kill processes change user passwords to prevent people from being able to access their accounts now the wiper accepts three different forms of configuration including command line arguments a hard-coded default configuration or or it can read from a file called messywipe.ini the wiper also has three different modes of operations including default which simply overwrites the first 200 bytes of each chunk of 1024 bytes in the file next is full purge which simply overwrites the entire file content and then lastly we have light wipe which overwrites a specified number a specified number of chunks via the configuration which in the hard-coded configuration here is three however we found a batch script that we believe the attackers used to actually execute this payload which you can see here they use command line arguments to change to reset all passwords to random strings and log out any active user sessions now we found three different back doors that shared both code similarities to the wiper as well as very creative naming conventions including wind screening whose primary purpose was to take screenshots but it also accepts shell commands then there's http callback service which is just a simple rat that is able to transfer files to and from the cnc server but a2 also does execute shell commands when needed and lastly we have http service which is a multifunctional back door with a bunch of features including but certainly not limited to transferring files to and from the cnc server but wait didn't http callback service do that too okay well it's also able to uh guess what it's able to execute show commands it's a little bit redundant but what can you do and then http service uh interacts with the cnc server by sending http html pages like this one which gives the attacker a nice user interface by just simply clicking on hyperlinks to send messages or commands back to the door now how exactly did we connect all of these files together well as i mentioned earlier we started seeing the files come from the same virus total submitters right after the attack and most of them were located in iran when we found the video file on virus total we immediately recognized it from the news so we knew we were on the right track connecting the video and audio files to the malware was very straightforward since we saw the file path to the video inside simple playouts configuration file and we saw that the wav file was hard coded into avar.exe we also found batch scripts that were tampering with software used in broadcasting environments some of which we specifically know the irib is using based on osint and of course we sat we had many similarities in the executables including code reuse [Music] now here's a picture perfect example of such code reuse where we can see on the left we have a function called do cmd which simply executes a shell command this is from http service and on the right we have win screening which is another one of the back doors i mentioned earlier with the same exact function do cmd same code same everything well i think these guys really like to copy and paste now personally i could not believe how lucky we were when investigating the files on vt when we came across multiple windows event log files i mean who uploads that event the event log file displayed here contain evidence that the wiper was uh was executed in the iranian tv network as you can see here the domain mit-tv dot ir and in the event message you can see here the entry point to the wiper that we found now the iranian government claimed that the mek was behind the attack but they denied any sort of connection nonetheless iran's claim is logical because they displayed leaders displayed the leaders of the mk in support of them but it's possible the attackers are just fans or maybe they're trying to mislead us we don't actually know now immediately after the attack a hacker group called predatory sparrow claimed responsibility on their telegram channel the morning of the attack they wrote a message saying that something good was coming however although they took credit for the attack we don't have any technical proof that it was really them i and another thing to notice is that if you look at the twitter handle on the video it points to a different account called yom sarnaguni so guyansar negoni means uprising to overthrow in farsi since they this group first appeared in january 2022 the group has continued to attack the iranian regime and in march in april 2022 the group hacked and defaced the websites of the ministry of culture and islamic guidance and the ministry of agriculture jihad and defaced the their websites with the image seen here and published leaked documents and destroyed some of their data the picture also contains the same twitter handle yamsarnaguni and the images of the mek leaders and again the red x over the supreme leaders face now at the beginning of june 2022 the group hacked into over 5 000 surveillance cameras and online services of the tehran municipality and leaked videos online showing what they had accomplished and then during this time we also saw uploads to virustotal of new variants of the back doors and the wiper that we found in the irib attacks and in fact the wiper the uh the new variants of the wiper that we found seemed to be have a new name and it was called dilemma based on the pdb paths we saw and now for some breaking news just earlier this week on monday june 27th there was a major cyber attack conducted against iranian steel companies now our friends at predatory sparrow took credit for the tv that took credit for the tv hijacking posted a video of one of the attacks on their telegram channel and claim that they hit three different iranian steel companies with ties to the irgc they also said that the attacks were carried out in such a way to ensure people wouldn't be harmed when destroying infrastructure so what do we know so far about these guys well attacks on critical infrastructure require highly skilled attackers because they need to stay under the radar during initial initial stages and reconnaissance implying that we're dealing with a very sophisticated group but on the other hand the payloads were filled with copy and pasted code and launched by buggy three-line batch scripts which demerit demonstrated a lower level of sophistication this contradiction could have a number of explanations maybe they had help on the inside maybe this the this was a collaboration of multiple groups with different skill levels maybe we can just ask them on telegram because i definitely have a lot of questions for them thank you guys very very much if you have any questions for us please feel free to call us at six four four one one we'll be happy to answer [Applause] you