Last Updated on 21/02/2022 by Nidhi Khandelwal
As the country’s national infrastructure continues to face a wave of attacks aimed at inflicting serious damage, an investigation into a cyberattack targeting Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), in late January 2022 resulted in the deployment of a wiper malware and other custom implants.
In a report released last week, Tel Aviv-based cybersecurity firm Check Point stated, “This indicates that the attackers’ goal was also to disrupt the state’s broadcasting networks, with the damage to the TV and radio networks probably more substantial than officially disclosed.”
On January 27, a breach of state broadcaster IRIB allowed images of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi to be broadcast alongside a call for the killing of Supreme Leader Ayatollah Ali Khamenei.
Custom malware capable of snapping images of the victims’ screens, as well as backdoors, batch scripts, and configuration files required to install and configure the malicious executables, were also employed during the hack.
Behind the scenes, a batch script was used to disrupt the video feed by deleting the executable associated with TFI Arista Playout Server, a broadcasting software used by IRIB, and looping the video file (“TSE 90E11.mp4”).
The attack also allowed for the installation of a wiper, which has the primary goal of corrupting the computer’s contents, as well as erasing the master boot record (MBR), clearing Windows Event Logs, deleting backups, killing processes, and changing users’ passwords.