Iran Retracts Reports of New Stuxnet-Like Attacks Against Utilities

Type threatpost
Reporter Michael Mimoso
Modified 2013-04-17T16:31:02


Iranian officials are retracting Christmas day reports that malware resembling Stuxnet had been used to attack manufacturing facilities including a power utility in southern Iran.

Related Posts

Threatpost News Wrap, March 13, 2015

March 13, 2015 , 2:20 pm

Details Surface on Stuxnet Patch Bypass

March 11, 2015 , 1:01 pm

Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability

March 10, 2015 , 2:24 pm

Ali Akbar Akhavan, head of Iran’s Passive Defense Organization, was quoted in reports yesterday by the Iranian Students’ News Agency that several utilities in the region had been under attack for months and that those attacks had been stopped.

Today, Akhavan said he was misquoted in original reports and that he was announcing only cyber defenses at these facilities had been shored up.

Akhavan reportedly said that malware had targeted electric company Bandar Abbas Tavanir Co. and other utility companies, and that his team had enlisted “skilled hackers” to beat back the attacks which were concentrated against facilities in the Hormuzgan province in the south.

“At a press conference, we announced readiness to confront cyber attacks against Hormuzgan installations, which was mistakenly reported by the agencies as a cyber attack having been foiled,” Akhavan is reported to have told IRIB, Iran’s state broadcaster.

Iran has been more vocal about its cyber capabilities in recent months in particular, and since Stuxnet was used to disrupt a uranium enrichment facility in that country in 2010. Less than two weeks ago, Iran’s Maher Center, the country’s Computer Emergency Response Team (CERT) reported new malware was targeting computers in the country that was capable of wiping data from disk partitions.

Dubbed Batchwiper, the malware was similar to the Wiper and Shamoon malware, both of which had similar data-wiping features.

Researchers at Kaspersky called Batchwiper simple yet effective. It targets files on drives D through I, as well as files stored on the desktop. Once it wipes a partition, it runs the chkdsk command to check that status of the infected drive and perhaps to make the attack look like hardware failure, Kaspersky said. Batchwiper runs only on particular dates, every three months through 2015; the next scheduled attack date is Jan. 21-23.

Kaspersky researcher Roel Schouwenberg said there has been no connection made between Batchwiper and any other previous data-wiping attacks.

Shamoon was likely the most destructive attack of 2012, destroying more than 30,000 workstations at the Aramco oil facility in Saudi Arabia. While oil production was unaffected by the attack, the malware did wipe disks clean and was able to infect and overwrite the master boot record on the workstations, rendering them useless.

The Wiper malware attacks also targeted and destroyed data on machines in Iran. Analysis of Wiper led Kaspersky researchers to discover Flame, which was related to Stuxnet and Duqu, which also targeted critical infrastructure in the Middle East.