Iran’s state-sponsored hackers have deployed a new strain of malicious malware, warns IBM, which has been aimed at the “industrial and energy sectors” in the Middle East. No specific companies have been identified, but there’s no surprise in the nature of the attack. For Iran, its ongoing hybrid conflict with the U.S. and its allies has made these sectors a target. IBM has attributed the latest “destructive attacks” to Iran’s hyperactive APT34 “and at least one other group, [also] likely based out of Iran.”
APT34 has hit the headlines a few times this year, including with a phishing attack using LinkedIn. But it’s the identity of that “one other group” that’s arguably more interesting. The sectoral targets and use of wiper malware points towards Iran’s APT33, arguably the best known of its threat actors. This is the group behind the Microsoft Outlook exploit in July, prompting a U.S. government warning, and which deployed its own VPN to veil “aggressive attacks” on U.S. and Middle East targets in the oil and gas sector. APT33 was also behind the infamous 2012 Shamoon attack on Saudi Aramco, an attack which erased the data on most of the company’s computers.
IBM’s X-Force team has dubbed the new wiper malware “ZeroCleare.” According to the team’s report, “we were not surprised to find that ZeroCleare bears some similarity to the Shamoon malware—ZeroCleare aims to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines.” As with Shamoon, the attack misuses EldoS RawDisk to attack files and disks on target machines.
The Iranian malware used RawDisk “to wipe the MBR and damage disk partitions on a large number of networked devices—sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from.” Here, again, are parallels to Shamoon. An attack intended to disable strategic targets and cause realtime economic harm. IBM does not think this strain of malware has been seen before, and so this may be its first known exploit in the wild.
Iranian hacking groups are now demonstrating a tenacity and an increasingly sophisticated set of cyber weapons to target strategic industries. And while U.S. commercial entities are definitely in the crosshairs, the Middle East is seen as a softer target. The twist here is that this latest attack included multiple tools deployed by different Iranian threat groups to bypass system security layers, brute force network credentials and plant the wiper malware—a major concern to the industry.
Go to link