September 3, 2021
An Iranian opposition group was behind a July cyberattack on Iran’s railway system that the state news agency said caused “unprecedented chaos” at train stations.
A new report, released August 15 by the Israeli-American cybersecurity company Check Point Software Technologies, cited an Iranian opposition group using the name Indra as the organizer of the attack.
Just exactly who or what Indra is remains unknown. Check Point said Indra previously had only attacked businesses in Syria and this was its first attack on a target in Iran. But Check Point said it was able to trace the attacks to the group calling itself Indra the Hindu god of war and identifying itself as opposed to the Islamic Republic.
On July 9 and 10, the hackers posted fake messages on the Iranian railways web pages about train delays and cancellations; the fake messages even appeared on display boards at stations all across Iran. The messages urged passengers to call for more information, listing the phone number of the office of Supreme Leader Ali Khamenehi.
The Iranian Transport Ministry said a “cyber disruption” had affected its computer systems, taking down its website and links associated with it. But, very unusually, Tehran did not blame anyone; normally the Islamic Republic blames Israel for just about everything these days, and much of the speculation in the media in both East and West pinned blame on Israel.
Check Point said its search for the hackers “led us to dozens of files, all uploaded from the same two sources located in Iran.”
It said, “Our scrutiny revealed not only the attacks’ targets, but also the identity of the group behind these operations a group that calls itself ‘Indra’ after the Hindu god of war. In fact, Indra did not try to hide that they are responsible for these operations and left their signature in multiple places. The image that was displayed by the attackers on the victims’ locked computers announces, ‘I am Indra’.”
Indra has a Twitter account on which it states that it is “aiming to bring a stop to the horrors of QF [Qods Force] and its murderous proxies in the region’ and they claim to be very focused on attacking different companies who allegedly cooperate with the Iranian regime,” Check Point said. That would explain the attacks on Syrian businesses.
But beyond that, Check Point had no information on what Indra was or who runs it. It also said it did not know if Indra was based inside or outside Iran.