TeamPCP Targets Kubernetes Clusters with Iran-Specific Wiper Malware
- [01] Immediate impact: Iranian Kubernetes clusters face permanent data loss due to targeted wiper malware deployed via exposed management interfaces.
- [02] Affected systems: Kubernetes clusters with publicly accessible dashboards or APIs and systems configured with Iranian IP addresses or timezones.
- [03] Remediation: Restrict access to Kubernetes APIs and dashboards using firewalls and implement strong Role-Based Access Control policies immediately.
A destructive campaign orchestrated by the threat group TeamPCP has been identified targeting exposed Kubernetes environments to deploy data-wiping malware. According to BleepingComputer, the attackers leverage automated scanning tools to find misconfigured clusters, primarily focusing on those with Iranian geographic markers or system settings.
Analysis of the Kubernetes Exploitation Chain
The attack sequence begins with widespread scanning for common Kubernetes ports, such as 6443 (API Server), 8443, and 10250 (Kubelet API). If an interface is found without authentication or with weak credentials, the attackers gain entry. Unlike many APT groups that seek long-term persistence or Lateral Movement, TeamPCP’s primary objective in this campaign appears to be localized destruction.
Once access is established, the group utilizes a custom tool or script, often referred to as “Kube-Wiper,” to deploy malicious containers. These containers are configured to run with high privileges, allowing the script to interact directly with the host filesystem. Security operations centers that need to detect TeamPCP Kubernetes attacks should look for the creation of unauthorized pods with names that mimic legitimate system services or administrative tools.
The Wiper Mechanism and Target Identification
The payload is distinct because it includes a conditional check to ensure it only activates on Iranian infrastructure. The script typically performs the following checks:
- Timezone Verification: It inspects the
/etc/timezoneor/etc/localtimefiles for the string “Asia/Tehran”. - Geolocation: It performs an external IP lookup to determine if the cluster is hosted within Iranian IP blocks.
If these conditions are met, the script executes the command rm -rf / --no-preserve-root, effectively destroying the operating system and all hosted data. This TTP suggests a geopolitically motivated operation rather than a financially driven Ransomware attack. Because no CVE is exploited—relying instead on administrative misconfigurations—traditional vulnerability scanners may not flag the risk unless they are specifically looking for exposed services.
Implementing Kubernetes Cluster Wiper Mitigation
To defend against these destructive attacks, administrators must prioritize the security of the control plane. Protecting Kubernetes APIs from unauthorized access is the most effective way to break the attack chain. This involves disabling the Kubernetes Dashboard if it is not required or ensuring it is behind a Zero Trust gateway or VPN.
Furthermore, practitioners should implement strict Role-Based Access Control (RBAC) to limit the permissions of service accounts. Use Network Policies to restrict traffic between pods and ensure that the Kubelet API is not accessible from the public internet. Organizations should also ingest Kubernetes audit logs into a SIEM or SOC platform to identify anomalous container deployment patterns. Frequent off-site backups are the only reliable recovery method if a wiper successfully executes, as the data destruction is irreversible. Monitoring for suspicious IoC markers, such as specific container image registries or unusual outbound API calls to geolocation services, can provide early warning of an impending wipe operation.
Advertisement