Thursday 29 September 2022, 09:00 - 09:30
THIS PRESENTATION WILL BE GIVEN REMOTELY
Alexandra Gofman (Check Point)
Israel Gubi (Check Point)
Itay Cohen (Check Point)
The anniversary of the 1979 Islamic Revolution is a major yearly political celebration in Iran: it includes the streets decorated with huge Iranian flags and balloons, rallies for the achievements of the revolution, and of course state radio and television broadcasting patriotic songs and programmes lauding Iran’s scientific and military achievements. This year, on January 27, only two weeks before this highly celebrated event, IRIB, Iran’s national broadcaster in charge of all radio and television services in the country, was hacked. This resulted in state-run TV channels broadcasting the footage of opposition leaders Maryam and Masoud Rajavi, followed by the image of Iran’s Supreme Leader Ayatollah Khamenei crossed out in red lines, accompanied by an audio track calling for his assassination.
Our investigation of this attack shed light on the previously undiscussed technical implementation of this attack. We found malicious executables used to air an opposition message, as well as multiple scripts and backdoors that enabled their execution. In addition, we discovered evidence that the attackers turned to wiper malware, indicating that the actor’s intention was not only to hijack the broadcast but also to irreversibly damage the state-affiliated TV and radio stations’ networks.
Continuing from where we left off in our VB2021 talk about the attacks against Iranian Railways, we will start with an overview of the latest cyber-attacks against Iran’s infrastructure and the groups operating against the targets inside the country. Then, we will take a deep dive into the technical details of the IRIB attack, and will dissect the multiple malware and forensics artifacts we discovered. We will also share our insights into the possible forces behind this attack. Lastly, we discuss the details that came out after our research went public: additional technical pieces shared by fellow researchers, some of the conclusions drawn from this publication by the Iranian cyber community, and, unsurprisingly, the new wave of attacks committed by the same actor.
Alexandra Gofman has more than six years of diverse background in cybersecurity and now leads the Threat Intelligence Analysis Team at Check Point Research, focusing on Advanced Persistent Threat attacks, cybercrime, malware analysis and cyber threat intelligence. Alexandra speaks Hebrew, English and Russian and holds a Master’s degree in engineering physics.
Israel Gubi is a security researcher and reverse engineer in the Malware Research Team at Check Point Research. Israel joined Check Point in 2017 and was part of the first cycle of the Check Point Security Academy. Israel mainly focuses on malware analysis and malware hunting of both cybercrime and Advanced Persistent Threat campaigns. In his free time, Israel loves any kind of sports, especially tennis and bouldering.
Itay Cohen (a.k.a. Megabeets) is a reverse engineer and the Head of Research at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of a security blog focused on making advanced security topics accessible for free. Itay is a maintainer of the open-source reverse engineering frameworks Rizin and Cutter. In his free time, he loves to participate in CTF competitions and contribute to open-source projects.