IBM sounds alarm about more data-wiping malware from Iran

The new research is the latest indication of Iran’s disruptive capabilities in cyberspace.
malware, network, ransomware, virus, FIN7
(Getty Images)

IBM’s security experts said Wednesday they have uncovered previously unknown malware developed by Iranian hackers that was used in a data-wiping attack against unnamed energy and industrial organizations the Middle East.

The newfound malware, dubbed ZeroCleare, “spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from,” Limor Kessem, an Israel-based analyst with IBM’s X-Force incident response team, wrote in a blog post.

The discovery adds to years of evidence that hackers linked to the Iranian government have developed and deployed data-destroying code against multiple targets in the Middle East. Security analysts have warned that Iran could step up its use of cyberattacks amid heightened tensions with Saudi Arabia and the United States.

IBM analysts believe APT34 — a hacking group linked with the Iranian government — and at least one other group based in Iran “collaborated on the destructive portion of the ZeroCleare attack.”


Like Shamoon, the infamous malware also linked to Iran that damaged tens of thousands of computers at oil giant Saudi Aramco in 2012, ZeroCleare is designed to overwrite the master boot record (MBR) on Windows machines. The MBR is a program that executes every time a computer is restarted, making it a vital engine for an operating system.

Both sets of malware abuse EldoS RawDisk, a legitimate program used to handle files and digital partitions, according to Kessem.

“It is possible that it is a recently developed malware and that the campaign we analyzed is one of the first to use this version,” she wrote, noting that ZeroCleare exploits a vulnerable computer driver to get around Windows controls.

The new IBM research is the latest indication of Iran’s disruptive intentions in cyberspace.

Last month, Microsoft security researchers said APT33, an aggressive Iran-linked hacking group, had shifted its targeting to industrial control systems used in the energy sector. “You have an actor that has been linked to deployment of destructive payloads in the past,” said Microsoft security researcher Ned Moran, laying out his concerns.


A decade ago, it was Iran that suffered a cyberattack that actually destroyed physical equipment when Stuxnet, the computer worm reportedly developed by the U.S. and Israel, was used to knock out centrifuges at an Iranian uranium enrichment facility. NSA officials have worried that the Iranians learned from capabilities such as Stuxnet to augment their own hacking abilities, according to a document leaked by former NSA contractor Edward Snowden.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts