“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” said Iran’s Communication and Information Technology Ministry in a statement.
It said the attack that hit internet service providers and cut off web access for subscribers was made possible by a vulnerability in routers from Cisco, which had earlier issued a warning and provided a patch, but some firms had failed to install it over the Iranian new year holiday.
“Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol,” said Nick Biasini, a threat researcher at Cisco. “Some of these attacks are believed to be associated with nation-state actors, such as those described in US CERT's recent alert.”
Biasini was referring to a warning issued by the US Department of Homeland Security last month concerning attacks by Russian government-sponsored groups on critical infrastructure.
“As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths,” he said.
The vulnerability in Cisco’s smart install client was first identified in 2016, when it was found that roughly 251,000 clients were exposed to it.
But despite Cisco releasing tools to patch the hole, 168,000 systems still remain vulnerable.
On Saturday evening, Cisco said those postings were a tool to help clients identify weaknesses and repel a cyber-attack.
Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the US flag and the hackers’ message. He said it was not yet clear who had carried out the attack.
Azari-Jahromi said the attack mainly affected Europe, India and the United States, state television reported.
“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 per cent,” Azari-Jahromi was quoted as saying.
In a tweet, Azari-Jahromi said the state computer emergency response body MAHER had shown “weaknesses in providing information to (affected) companies” after the attack which was detected late on Friday in Iran.
Hadi Sajadi, deputy head of the state-run Information Technology Organisation of Iran, said the attack was neutralised within hours and no data was lost.