Picture: Avi Richards
Harmful assaults that focused Iran’s transport ministry and nationwide practice system had been coordinated by a menace actor dubbed Indra, who beforehand deployed wiper malware on the networks of a number of Syrian organizations.
Final month, Iran’s railways and transport ministry had been hit by a cyberattack that took down their web sites and disrupted practice service all through the nation.
“The assaults on Iran had been discovered to be tactically and technically just like earlier exercise towards a number of personal firms in Syria which was carried no less than since 2019,” Check Point Research analysts who made the connection said.
“We had been in a position to tie this exercise to a menace group that establish themselves as regime opposition group, named Indra.”
The attackers deployed a previously unseen file wiper called Meteor on the targets’ methods. They displayed messages on the railway’s message boards saying that the trains had been canceled or delayed, asking passengers to the workplace of Supreme Chief Ali Khamenei for extra info.
Hacktivist or cybercrime group concentrating on IRGC-affiliated entities
Wipers, Nuke-it-From-Orbit-ware as Test Level Analysis referred to as them, are designed to destroy knowledge or brick breached gadgets, normally as cowl for different assaults happening on the identical time.
Indra developed and deployed no less than three completely different variants of a wiper dubbed Meteor, Stardust, and Comet on victims’ networks all through the years since they first surfaced in 2019.
Regardless of this, the group’s modus operandi, the standard of their instruments, and willingness to say assaults on social media make it unlikely that Indra is a nation-state sponsored menace actor.
Nonetheless, as SentinelOne safety researcher Juan Andres Guerrero-Saade observed in a report analyzing the Iranian attack printed two weeks in the past, the menace actor was in a position to stay undetected through the reconnaissance part of their assault regardless of displaying a common lack of ability.
“There’s characteristic redundancy between completely different assault elements that implies an uncoordinated division of duties throughout groups,” Guerrero-Saade stated. “And information are distributed in a clunky, verbose, and disorganized method unbecoming of superior attackers.”
No matter their ability stage, based mostly on Iranian media reports from final yr, Indra appears to be a cybercriminal or hacktivist group that apparently targets entities affiliated with the Islamic Revolutionary Guard Corps (IRGC), a department of the Iranian Armed Forces.
Iranian wiper assaults stay unclaimed
Indra has beforehand shared profitable assaults on social media on a number of platforms, together with Twitter, Fb, Telegram, and Youtube.
Primarily based on the group’s social media exercise of Indra since 2019, Test Level Analysis discovered that Indra has claimed the next assaults:
- September 2019: an assault towards Alfadelex Buying and selling, a forex trade and cash switch companies firm situated in Syria.
- January 2020: an assault towards Cham Wings Airways, a Syrian-based personal airline firm.
- February 2020 and April 2020: seizure of Afrada’s and Katerji Group’s community infrastructure. Each firms are located in Syria as nicely.
- November 2020: Indra threatens to assault the Syrian Banias Oil refinery, although it’s not clear whether or not the menace was carried out.
Nonetheless, the hacking group selected to not take duty for final month’s assaults against the Iranian Railways and the Ministry of Roads and Urban Development.
Regardless of this, Test Level Analysis was capable of finding a number of similarities (the instruments and Techniques, Methods and Procedures (TTP), and the assault’s extremely focused nature) instantly connecting them with these incidents.