By: Itay Cohen, Head of Cyber Research at Check Point Software
Check Point Research found files related to recent attacks against steel facilities in Iran. An initial analysis of the malware, dubbed “Chaplin” by the attackers, found that it is based on a wiper malware called Meteor that was used in the attacks against the Iranian Railways system and Ministry of Roads and Urban Development last year. The attack from last year was thoroughly described in our previous publications. Even though Chaplin is based on tools from previous attacks, it does not contain the wiping functionality and does not corrupt the victim’s file system. However, it prevents the user from interacting with the machine, logs them off, and displays on the screen a single-frame video that announces the cyber attack. The malware corrupts the machine by preventing it from booting correctly.
The video displayed on the victim’s computer presents the logos of Predatory Sparrow’s recent victims:
– Khouzestan Steel Company (KSC)
– Iranian Offshore Oil Company
– Ministry of Roads and Urban Development
– Islamic Republic of Iran Railways
It might be the case that the obtained files were used in the attack against KSC, as the company confirmed it was under attack. Finally, like in the group’s previous attacks, they used their old joke and directed victims to “64411” which is the number of Iran’s Supreme Leader’office.
Last year, Check Point Research analyzed the attacks against Iran’s railway systems and was able to connect it to previous attacks by a group named “Indra”’ which operates since 2019 against targets in Iran and Syria.
Predatory Sparrow, who took responsibility for the recent attack against Iran’s steel industry, is also the one that took responsibility for the attacks against Iran’s railway systems and the Iranian Ministry of Roads and Urban Development. Given the usage of the same tools, methods, and techniques, it is not unlikely that Indra and Predatory Sparrow are the same group.
The recent attack joins a flood of attacks conducted by groups portraying themselves as Hacktivists against the regime. The number of attacks, their success and their quality can suggest that they were conducted by an advanced attacker or attackers, perhaps a nation-state with an interest to sabotage Iran’s critical infrastructure, as well as seed panic among the Iranian public and officials.
Check Point’s Research will continue to monitor and analyze cyber attacks related to the news.