A purported Iran scientist working for the Atomic Energy Organization of Iran e-mailed an SOS to F-Secure Chief Research Officer Mikko Hypponen this weekend, saying the AEOI was under a cyber attack.
Hypponen, who is well-regarded in the security community, published a blog post this morning saying he can’t confirm the details, or even existence of the attack, but he can confirm that the e-mails were being sent from within the AEOI.
It sounds like the AEOI may have been hit with an infrastructure-targeting malware attack, similar to those that have plagued the Middle East since 2010 starting with Stuxnet. However, there’s no independent confirmation of this attack’s existence.
According to the e-mail, the malware shut down the AEOI “automation network” in its Natanz and Fordo facilities. The “scientist” specifically mentions Siemens hardware, which could be a reference to SCADA systems, or control systems that electronically monitor and power various pieces of industrial infrastructure. These systems were targeted by the Stuxnet virus that brought down part of Iran’s nuclear fuel systems in 2010. He also mentions that the malware turned on computer’s volumes to high and blasted what appeared to be ‘Thunderstruck’ by AC/DC. Cyber criminals have to have a little humor too.
Iran has been the target of quite a few new pieces of malware this year, including the latest Flame malware that many describe as one of the biggest advancements in cyber espionage to date. The virus comes with 20 different modules that, when unpacked, spy on the infected computer, sending data back to its command and control servers. It detects when you’re using a communications app such as IM or Gmail, and takes screenshots to record your conversation. It can also turn on the computer’s microphone and record audio in the vicinity, sniff network traffic, log your keystrokes, and more.
A similar piece of malware called Madi was also uncovered recently. Madi enters the system through phishing e-mails. When an attachment in the e-mail is opened and installed, Madi opens up a decoy Word Document or PowerPoint presentation, while quietly downloading the malware in the background. Like Flame, the trojan knows when a communications app is open and takes screenshots, as well as records audio, and logs keystrokes.
Both Flame and Madi attack critical infrastructure firms and government entities.
Whether or not this new attack is real, whether it is associated with either malware, and whether this is a new strain, are all still unknown. See the full e-mail below:
I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.
According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.
There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.
We have reached out to Hypponen and F-Secure and will update with more information upon hearing back.