Critical Infrastructure Security
Operational Security Mistakes Left Clues About Developer’s Skills, But Not Identity
Nearly three weeks ago, Iran’s state railway operator was hit with a cyberattack that was disruptive and – somewhat unusually – also playful.
See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework
The attack caused train services to be disrupted as well as the transport ministry’s website to go down, Reuters reported.
But the attack wasn’t just designed for disruption. Attackers also programmed screens at train stations to show a number for travelers to call for more information about the problems.
A phone number–64411–was displayed on boards of train stations today in #Iran amid the reported cyberattack on the rail system. It directed commuters there to call for more information. It matched the number to #Iran‘s Supreme Leader’s Office that is displayed on his website. pic.twitter.com/IQQ85I6QhJ— Iran International English (@IranIntl_En) July 9, 2021
The phone number, 64411, is for the office of Iran’s supreme leader, Ali Khamenei. In other words, as noted by Juan Andres Guerrero-Saade, a threat researcher at security firm…