The recent attacks that targeted Iran’s transport ministry and national train system were conducted by a threat actor dubbed Indra.
In July, Iran’s railroad system was hit by a cyberattack, threat actors published fake messages about delays or cancellations of the trains on display boards at stations across the country, the Fars news agency reported.
The messages on the boards informed passengers that the trains were “long delayed because of cyberattack” or “canceled.” The messages also urged passengers to call for information and provided the phone number of the office of the country’s supreme leader, Ayatollah Ali Khamenei.
The cyber attack led to “unprecedented chaos” at rail stations in the country. The Fars agency attempted to downplay the effects of the attack and pointed out that it did not cause disruption.
According to an analysis published by Check Point, the attack was conducted by a threat actor dubbed Indra that also targeted in the past multiple Syrian organizations with wiper malware.
“The attacks on Iran were found to be tactically and technically similar to previous activity against multiple private companies in Syria which was carried at least since 2019. We were able to tie this activity to a threat group that identify themselves as regime opposition group, named Indra.” states the report.
According to research from Amnpardaz and SentinelOne, the attackers employed a wiper malware dubbed Meteor and not by ransomware as initially thought. Meteor was a previously undetected strain of malware, but experts were not able to link it to specific advanced persistent threat actors.
A file named mssetup.exe was used as a screenlocker that locked the user out of their systems, and the nti.exe file used to corrupt the system’s master boot record (MBR).
Check Point Research tracked the wiper as Nuke-it-From-Orbit-ware and attributes it to the Indra group, who deployed at least three different variants of a wiper dubbed Meteor, Stardust, and Comet on victims’ systems since 2019.
Unlike other research teams, CheckPoint experts believe that Indra is not a nation-state actor. The Indra group operate multiple social network accounts on different platforms, including Twitter, Facebook, Telegram, and Youtube, it claims to be against the Iranian regime, and Iranian sources linked it to hacktivist or cybercriminal groups.
The official twitter account of the group states that they are “aiming to bring a stop to the horrors of QF and its murderous proxies in the region.” The group orchestrated multiple attacks against different companies who allegedly cooperate with the Iranian regime, especially with the Quds-Force and Hezbollah.
Some of the most important Indra attacks include:
- September 2019: an attack against Alfadelex Trading, a currency exchange and money transfer services company located in Syria.
- January 2020: an attack against Cham Wings Airlines, a Syrian-based private airline company.
- February 2020 and April 2020: seizure of Afrada’s and Katerji Group’s network infrastructure. Both companies are situated in Syria as well.
- November 2020: Indra threatens to attack the Syrian Banias Oil refinery, though it is not clear whether the threat was carried out.
Experts pointed out that unlike previous operations of the group, Indra did not publicly take responsibility for the attacks against the Iranian Railways and the Ministry of Roads and Urban Development.
“By carrying out an analysis of this latest attack against Iran, we were able to reveal its convoluted execution flow as well as 2 additional variants of the final ‘wiper’ component. These tools, in turn, were used previously in attacks against Syrian companies, for which the threat actor Indra took responsibility officially on their social media accounts.” concludes the report. “While Indra chose not to take responsibility for this latest attack against Iran, the similarities above betray the connection.”
(SecurityAffairs – hacking, Idra group)