Wiper Malware Used in Attack Against Iran’s Train System

Critical Infrastructure Security
Endpoint Security

Operational Security Mistakes Left Clues About Developer’s Skills, But Not Identity

Wiper Malware Used in Attack Against Iran's Train System
Tehran’s rail station. (Photo: Mostafa Asgari via Wikimedia Commons/CC)

Nearly three weeks ago, Iran’s state railway operator was hit with a cyberattack that was disruptive and – somewhat unusually – also playful.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

The attack caused train services to be disrupted as well as the transport ministry’s website to go down, Reuters reported.

But the attack wasn’t just designed for disruption. Attackers also programmed screens at train stations to show a number for travelers to call for more information about the problems.

The phone number, 64411, is for the office of Iran’s supreme leader, Ali Khamenei. In other words, as noted by Juan Andres Guerrero-Saade, a threat researcher at security firm…


Ransomware attack costs Illinois attorney general's office more than $2.5M – Chicago Tribune

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Ransomware attack costs Illinois attorney general’s office more than $2.5M  Chicago Tribune


Ransomware key to unlock customer data from attack

A computer key that can unlock the files of hundreds of companies which were hacked in a large-scale cyber-attack has been obtained, BBC reported on Friday.

US IT firm Kaseya – which was the first to be targeted earlier this month – said it got the key from a “trusted third party”.

Ransomware is malicious software that steals computer data and scrambles it so the victim cannot gain access.

The hackers then ask for payment in return for releasing the files.

Kaseya’s decryptor key will allow customers to retrieve missing files, without paying the ransom.

The company’s spokeswoman Dana Liedholm declined to answer whether Kaseya had paid for access to the key.

She told tech blog Bleeping Computer that the firm was actively helping customers restore their files.

The “supply chain” attack initially targeted Kaseya, before spreading through corporate networks which use its software.

Kaseya estimated that between 800 and 1,500 businesses were affected, including 500 Swedish Coop supermarkets and 11 schools in New Zealand.

After the attack at the beginning of July, criminal ransomware gang REvil demanded $70m worth of Bitcoin in return for a key that would unlock the stolen files.

But members of the group disappeared from the Internet in the days following the incident, leaving companies with no way of retrieving the data until now.

That’s the big question in the cyber-security world at the moment.

But really it is irrelevant for two reasons.

Firstly, giving away the key now is far too late for most of the victims of this massive ransomware attack.

The most desperate companies would have paid the gang already to get their operations back online, and others would hopefully be on their way to recovering by now without the help of the criminals.

Secondly, the mystery gifter was most probably linked to – or working with – the criminals directly.

It seems improbable that a well-run and experienced cyber-crime group like REvil would have accidentally leaked its most prized possession, or had it taken by some sort of secret law enforcement operation.

‘I’m told by a hacker who claims to be a part of the inner circle that it was “a trusted partner” who gave the key…


Clearfield target of ransomware attack; official says city now ‘up and running’ | Government

CLEARFIELD — The City of Clearfield’s computer system was the target of a ransomware attack, which prompted the city to turn off the network for much of last week to minimize the potential impact.

The unknown hackers have asked for a ransom “in the millions” of dollars to unlock access to the system. But J.J. Allen, Clearfield’s city manager, says the Davis County city is taking steps to get around the hack, hasn’t paid any money and may end up paying nothing. Either way, it’s a point of concern and the cyberattack put a big dent in city operations last week.

“Our phones were down all of last week. We had no internet. All of our systems were down. It was a rough week,” Allen said.

The city’s information technology staffers discovered the attack on July 11 and the city’s computer systems were subsequently shut down in response. The city is recovering data from backup systems managed separately from the main network and Allen said city operations started going back to normal late last week. As of Tuesday, he said the city was “back up and running” and he praised the “heroic efforts from our IT people.”

Even so, officials are still trying to pinpoint the extent of the infiltration, how it occurred, who may be behind it and what data, precisely, may be compromised. “That is still being investigated and analyzed,” Allen said.

In a statement on Wednesday, Mayor Mark Shepherd said the quick reaction of IT staffers “prevented this event from becoming an absolute disaster.” He also emphasized that city residents’ financial data was not compromised, which factored in not talking publicly about the matter until now, as word has seeped out.

“We are still in the middle of a negotiation with those whom the investigators refer to as ‘actors.’ I prefer to call them pirates, terrorists or simply thieves. When you are in the process of negotiating, the last thing you want is to show your cards or to show weakness,” Shepherd said.

Randy Boyle, a professor of management information systems at Weber State and a Fulbright scholar, said the Clearfield attack has the hallmarks of cyberattacks that have increasingly been occurring…