One of the most intriguing stories to emerge from the wartime period involving Iran unfolded in the world of cyberspace.
-
A new piece of malware called CanisterWorm has recently been attacking systems around the world.
This malware is a worm — it replicates itself repeatedly across the internet, infecting servers and computers as it spreads.
What makes it particularly interesting is that it only wipes systems identified as Iranian, based on the system's time zone — which is unique to Iran — combined with verification that the system language is set to Persian.
-
The design of this worm is original and fascinating.
It spreads across the network via a supply chain attack: Trivy, a popular code-scanning tool used by companies to detect security vulnerabilities in their code, was compromised and used to harvest developer credentials.
Those credentials were then used to publish versions and patches to numerous widely used code packages. The malware spread itself by pushing updates to various packages while impersonating legitimate developers, infecting more and more machines at a rapid pace.
After infecting a computer or server, the worm waits for a command from a central command-and-control server. Normally, when malware of this kind is exposed, law enforcement shuts down the command-and-control server, preventing the distribution of malicious commands.
In this case, however, the command-and-control server is hosted on a decentralized crypto network, making it virtually impossible to take down.
-
The malware has proven to be particularly destructive.
It is capable of aggressively wiping entire systems — but if the machine is not identified as Iranian, it causes no damage, only collecting data and sending it back to the attackers.
Development of the malware has been attributed to a threat actor known as TeamPCP, which typically operates for financial extortion motives. Why they chose this time to intervene politically and target Iran specifically remains an open question.
--
👋 Hi, I'm Shlomo Strauss — follow me for more content on science and technology.
Photo: Boitumelo