Iranian hackers deploy new ZeroCleare data-wiping malware
Security researchers from IBM said today they identified a new strain of destructive data-wiping malware that was developed by Iranian state-sponsored hackers and deployed in cyber-attacks against energy companies active in the Middle East. IBM did not name the companies that have been targeted and had data wiped in recent attacks. Instead, IBM's X-Force security team focused on analyzing the malware itself, which they named ZeroCleare.
Unlike many cyber-security firms, IBM's X-Force team did not shy away from attributing the malware and the attacks to a specific country -- in this case, Iran. But unlike many previous cyber-attacks, which are usually carried out by one single group, IBM said this malware and the attacks behind appear to be the efforts of a collaboration between two of Iran's top-tier government-backed hacking units.
As for the malware itself, ZeroCleare is your classic "wiper," a strain of malware designed to delete as much data as possible from an infected host. Wiper malware is usually used in two scenarios. It's either used to mask intrusions by deleting crucial forensic evidence or it's used to damage a victim's ability to carry out its normal business activity -- as was the case of attacks like Shamoon, NotPetya, or Bad Rabbit. IBM said that none of the ZeroCleare attacks were opportunistic and appeared to be targeted against very specific organizations. Past Shamoon attacks targeted companies in the energy sector that were active in the Middle East region, companies that were either Saudi-based or known partners for Saudi-based oil & gas enterprises.