Hacker group, not Israel, behind cyberattack on Iran’s train system

A shadowy group – not Israel – was behind a July cyberattack on Iran’s railroad system that according to state media caused “unprecedented chaos” at train stations and reportedly led Tehran to attack an Israeli-owned ship a few weeks later, according to a new report.

The report, released Saturday by the Israeli- American cybersecurity company Check Point Software Technologies, named the Iranian opposition group Indra as the actor behind the attack, which it characterized as having inflicted “nation-state-level damage.”

During the July 9 attack, the hackers posted fake messages about alleged train delays and cancellations on display boards at stations across Iran. They also urged passengers to call for more information, listing the phone number of the office of the country’s supreme leader, Ayatollah Ali Khamenei.

On the following day, the Iranian transportation ministry said a “cyber disruption” had affected its computer systems, taking down its website and links associated with it.

In its report, Check Point said those assaults were carried out using a version of a hacking tool deployed in previous attacks on Iranian interests in Syria that Indra — which is named for a Hindu war god – had claimed responsibility for in 2019 and 2020.

According to one report, Iran may have believed Israel was behind the cyberattacks, and chose to retaliate by launching a drone attack against the Israeli-owned oil tanker MT Mercer Street on July 29, killing two crew-members and sparking an international uproar.

Check Point said the case highlighted the danger of “a non-state sponsored entity… creating the same kind of havoc” as a state actor with far more resources.

Israel and Iran have been engaged in a years-long shadow war, with Israel allegedly directing most of its efforts – including multiple suspected cyberattacks — at sabotaging the Islamic Republic’s nuclear program.