A January 2022 investigation into a cyberattack targeting Iranian national media firm, Islamic Republic of Iran Broadcasting (IRIB), resulted in the delivery of a wiper malware and other custom implants.
This indicates that the attackers’ aim was also to disrupt the state’s broadcasting networks, with the damage to the TV and radio networks possibly more serious than officially reported.
On January 27, a breach of state broadcaster IRIB allowed images of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi to be aired with a demand for the killing of Supreme Leader Ayatollah Ali Khamenei. “This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi said to state TV channel IRINN.
Custom malware capable of snapping images of the victims’ displays, as well as backdoors, batch scripts, and configuration files required to install and configure the malicious executables, were also employed during the breach. Check Point said it didn’t have enough information to attribute the attack to a single threat actor, and it’s unclear how the attackers got their hands on the targeted networks in the first place. Artifacts discovered so far include files accountable for:
- Creating backdoors and maintaining them,
- Releasing the “malicious” video and audio files, and
- Installing the wiper malware to interrupt activities in infiltrated networks.
A batch script was employed to disrupt the video feed by deleting the executable linked with TFI Arista Playout Server, a broadcasting program used by IRIB, and looping the video file (“TSE 90E11.mp4”). The attack also allowed for the installation of a wiper, which has the primary goal of corrupting the computer’s contents, as well as erasing the master boot record (MBR), clearing Windows Event Logs, deleting backups, killing processes, and changing users’ passwords.
The threat actor used four backdoors in the attack: WinScreeny, HttpCallbackService, HttpService, and ServerLaunch, a dropper that was launched via HttpService. When the various pieces of malware were combined, the adversary was able to take screenshots, receive orders from a remote server, and perform other destructive tasks.