Hacker group behind cyberattack on Iran's train system: Israeli cybersecurity firm

An Iranian opposition group is behind a July cyberattack that caused unprecedented chaos at train stations in Iran, a new report by a leading cybersecurity company has claimed.

In a report published on Saturday, Israeli American cybersecurity company Check Point Software Technologies identified the Iranian opposition group "Indra" as the actor behind the July 9 attack.

The attack, initially attributed to Israel, had led Tehran to attack an Israeli-owned ship a few weeks later.

Hackers caused major disruption to railway services when they posted fake messages about alleged train delays and cancellations on display boards at stations across Iran. They listed the phone number of Iranian officials, including that of the office of the country's supreme leader, Ayatollah Ali Khamenei, as customer service numbers to call for more information.

Check Point classified the attack as inflicting “nation-state level damage” despite it not originating from a nation-state level actor.  

"We have seen many cyberattacks connected with what are believed to be professional intelligence or military units," Itay Cohen, a senior researcher at Check Point, told The New York Times. "But here, it seems to be something else entirely."

The New York Times, which reviewed the report, called the attack a cautionary tale.

"An opposition group without the budget, personnel or abilities of a government could still inflict a good deal of damage," it said.

When a cyberattack on Iran’s railroad system last month caused widespread chaos, fingers pointed at Israel. But a new investigation by Check Point concluded that Indra, mysterious group opposed to the Iranian government was most likely behind the hack. https://t.co/Ja2ZjsF88B

— Ronen Bergman (@ronenbergman) August 14, 2021

According to the report, "there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc and harming critical infrastructure in order to make a statement" and the attack "could as easily have happened in New York or Berlin".

Indra identifies itself as a regime opposition group and is named after the god of war in Hindu mythology.

The company listed among the factors pointing to Indra’s culpability the tactical and technical similarity to previous attack against private companies in Syria since 2019.

To carry out its cyber attacks, Indra runs what is known as a "wiper", a malware designed to wipe the entire data system of critical infrastructure, making the recovery process complicated and locking users out of machines by changing passwords and replacing wallpapers with custom messages crafted by the attackers.

Indra has developed unique and exclusive attack tools and had demonstrated intelligence-gathering ability.

Check Point said it found a strong link between the tools and methods used in the July train hack and past hacks claimed by Indra, with the files used in July being an updated and improved version of those used in 2019 and 2020 in attacks claimed by the group.

The group’s Twitter account claims its aim is "to bring a stop to the horrors of QF and its murderous proxies in the region!".

In 2019, Indra claimed it had hacked the servers of a Syrian-based company dealing with international money transfers and foreign currency trading, the Fadel Exchange and International Forwarding Company, which it accused of financing the Quds Force and Hezbollah.

In 2020, it claimed to have hacked Cham Wings Airlines, which has been under US Treasury sanctions since 2016 for aiding the Syrian regime in the country's civil war.