In July, a cyberattack disrupted train services in Iran. Now Israel’s Check Point Research has unmasked the culprits behind the attack. Check Point found that a small group opposed to the current Iranian regime called Indira carried it out.
Indra is named after the Hindu God of War. The Indra official twitter account states that they are “aiming to bring a stop to the horrors of QF (Quds Force) and its murderous proxies in the region.”
Iranian news outlets at the time reported that the hackers posted false messages about train delays or cancellations on information boards at stations across the country. The hackers also advised travelers to call a phone number for further information. As it turned out, the number given belongs to the office of the country’s supreme leader, Ayatollah Ali Khamenei.
Itay Cohen, a senior researcher at Check Point, said, “It is very possible that Indra is a group of hackers, made up of opponents of the Iranian regime, acting from either inside or outside the country, that has managed to develop its own unique hacking tools and is using them very effectively.”
Describing the cyberattack as a “successful politically motivated attack on Iranian infrastructure,” Check Point research attributed blame to a non-state sponsored actor. “This specific attack happened to be directed at Iran, but it could as easily have happened in New York or Berlin,” explains Check Point.
The attacks took place on July 9th and 10th, 2021. Iranian Railways and the Ministry of Roads and Urban Development systems were victimized by hackers. Check Point Research investigated these attacks and found multiple evidence that these attacks heavily rely on the attacker’s previous knowledge and reconnaissance of the targeted networks.
Check Point found the attack to be “tactically and technically similar to previous activity against multiple private companies in Syria which was carried at least since 2019.” The attackers developed and deployed within victims’ networks at least 3 different versions of the wiper dubbed Meteor, Stardust, and Comet, explained the company.
“Judging by the quality of the tools, their modus operandi, and their presence on social media, we find it unlikely that Indra is operated by a nation-state actor,” explained Check Point.
The company went on to explain in its report exactly how the cyberattack was enacted. It was done using a malware known as a Wiper.