An Analysis of a January Attack Targeting Iran’s National Media Corporation


Multiple malware families, including a data-wiper and custom backdoors, were used in an attack against Iran’s state media corporation in January, according to an investigation.

The recent strike was part of a larger wave of cyber-attacks on Iran’s essential infrastructure, which included a July 2021 attack on the country’s railway and freight services, as well as an October attack on the country’s gas station network, both claimed by the hacker organisation ‘Predatory Sparrow.’

A hacktivist organisation leaked security camera footage from the Evin prison in August 2021, exposing prisoner maltreatment. The public first saw footage from the Ghezel Hesar prison on February 7, 2022.

The attackers sought to disrupt the broadcasting network by distributing data-wiping malware, according to a recent analysis from security vendor Check Point.

The attackers utilised a.NET-based executable to play a’malicious’ video clip in a loop, then used a batch script to kill all processes connected with and remove the executable of TFI Arista Playout Server, the software that IRIB uses for broadcasting, according to Check Point. A different TV stream and an audio stream were both hijacked using similar methods.

To completely delete the hard discs and MBR, two identical.NET samples were used in the attack (master boot record). The malware can completely destroy files, delete backups, stop processes, clear Windows Event Logs, and change user passwords, among other things.

Check Point discovered three backdoors used in the attack: one for taking screenshots (with a variation that can also run commands) and two others for downloading/uploading data, running cmd commands, proxy connections, and manipulating local files.

Check Point was able to link the malicious tools to the same cluster of activity based on multiple artefacts found in the analysed samples.

“The employment of wiper malware in an attack on an Iranian government entity compels us to compare the tools to those used by Indra, which was responsible for releasing a wiper in the Iranian Railways and Ministry of Roads systems.” Despite the fact that these wipers are coded and function in quite different ways, “certain implementation characteristics […] suggest that the criminals behind the IRIB hack may have been inspired by past attacks in Iran,” according to Check Point’s recent study.

Another hypothesis is that the attackers had inside aid because they were able to “carry off a difficult operation to evade security mechanisms and network segmentation” despite using low-quality and rudimentary tools.

While the exact extent of the damage caused by the attack is uncertain, MEK-affiliated publications reported lately that the strike may have destroyed more than 600 servers as well as broadcasting, production, and archival equipment.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.