Threats Feed|ITG13|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date04/12/2019

ZeroCleare Wiper Targets Middle Eastern Energy Sector in Destructive Cyberattack

  • Actor Motivations: Sabotage
  • Attack Vectors: Malware,Wiper
  • Attack Complexity: Very High
  • Threat Risk: High Impact/Low Probability

Threat Overview

IBM's X-Force team has detailed a new destructive malware, ZeroCleare, targeting the energy sector in the Middle East. The wiper, similar to Shamoon, overwrites data and maliciously uses legitimate tools. Attribution points to Iranian state-sponsored groups, possibly a collaboration between ITG13 and another entity. The report highlights the increase in destructive attacks, particularly in the energy sector, and offers mitigation strategies, including the use of threat intelligence, robust security controls and effective backup systems. Finally, it notes the wider geopolitical implications of such attacks.

Reference and Credit: IBM - December 2019

New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East

Detected Targets

TypeDescriptionConfidence
SectorEnergy
Verified
RegionMiddle East Countries
Verified

Extracted IOCs

  • 08dc0073537b588d40deda1f31893c52
  • 15df71fad932ae2ae8f162ab0167d71f
  • 1a69a02b0cd10b1764521fec4b7376c9
  • 1dbf3e9c84a89512a52da5b0bb682460
  • 1ef610b1f9646063f96ad880aad9569d
  • 33f98b613b331b49e272512274669844
  • 69b0cec55e4df899e649fa00c2979661
  • 993e9cb95301126debdea7dd66b9e121
  • eaea9ccb40c82af8f3867cd0f4dd5e9d
  • 36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c
  • cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986
  • 193[.]111.152.13
  • 194[.]187.249.102
  • 194[.]187.249.103
download

Tip: 14 related IOCs (3 IP, 0 domain, 0 URL, 0 email, 11 file hash) to this threat have been found.

Overlaps

UnknownUnveiling Dustman: A ZeroCleare Offshoot Wiping Data in the Middle East

Source: IBM - January 2020

Detection (six cases): 1a69a02b0cd10b1764521fec4b7376c9, 1ef610b1f9646063f96ad880aad9569d, 36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c, 993e9cb95301126debdea7dd66b9e121, cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986, eaea9ccb40c82af8f3867cd0f4dd5e9d

OilRigOilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Source: Palo Alto Network - April 2019

Detection (one case): 193[.]111.152.13

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
ITG13
View ITG13's Insights