• Mysterious Hacker Group Suspected in July Cyberattack on Iranian Trains

    From (David P.)@21:1/5 to All on Tue Aug 17 11:36:29 2021
    Mysterious Hacker Group Suspected in July Cyberattack on Iranian Trains
    By Ronen Bergman, 8/14/21, NY Times

    TEL AVIV — When a cyberattack on Iran’s railroad system
    last month caused widespread chaos with hundreds of trains
    delayed or canceled, fingers naturally pointed at Israel,
    which has been locked in a long-running shadow war w/Tehran.

    But a new investigation by an Israeli-American cybersecurity
    co, Check Point Software Technologies, concluded that a
    mysterious group opposed to the Iranian govt was most likely
    behind the hack. That is in contrast to many previous cyber-
    attacks, which were attributed to state entities. The group
    is known as Indra, named after the god of war in Hindu myth.

    “We've seen many cyberattacks connected with what are
    believed to be professional intel or military units,” said
    Itay Cohen, a senior researcher at Check Point. “But here,
    it seems to be something else entirely.”

    The company’s report, which was reviewed by The NY Times,
    said the attack was a cautionary tale: An opposition group
    without the budget, personnel or abilities of a govt could
    still inflict a good deal of damage.

    Iran & its nuclear program have been the target of a series
    of cyberattacks over recent years, including a campaign
    from 2009-10 directed by Israel & the US against a uranium
    enrichment facility.

    Tehran, in turn, has been accused of hacking other govts,
    cybersecurity companies & websites over the past decade.
    In one instance, the US accused computer specialists who
    regularly worked for Iran’s Islamic Revolutionary Guards
    Corps of carrying out cyberattacks on dozens of American
    banks & trying to take over the controls of a small dam
    in a suburb of New York City.

    In cases where Iran has acknowledged it was a victim of
    a cyberattack, it usually accused foreign countries. But
    after the attack on July 9 on the railway system, Tehran
    didn't blame anyone & there was no claim of responsibility.

    Check Point said the hack bore striking similarities to
    others against companies connected to the Iranian govt
    that Indra had claimed in 2019 & 2020.

    “It's very possible that Indra is a group of hackers,
    made up of opponents of the Iranian regime, acting from
    either inside or outside the country, that has managed to
    develop its own unique hacking tools & is using them very
    effectively,” Cohen said.

    Such a group could still be backed by a state, or its
    name could be used as a cover for one, but Check Point &
    other experts said they had found no indication of that.

    Ari Eitan, the VP of research at Intezer, a NY-based co
    that specializes in the comparison of codes in different
    cyberweapons, also said there was a strong link between
    the tools & methods used in the July train hack & past
    hacks claimed by Indra.

    “They share code genes that were not seen anywhere else
    but in these attacks, & the files used last July are an
    updated & improved version of those used in 2019 & 2020,”
    he said. “Based on the code connections, it’s safe to
    assume the same group is behind all attacks.”

    Indra first surfaced on social media shortly before its
    first hacking claim in 2019 & has since posted in English
    & Arabic. It has claimed responsibility for a series of
    attacks targeting companies linked to Iran & its proxies,
    like Hezbollah, the Lebanese militant group.

    The group’s Twitter account says its mission is to “bring
    a stop to the horrors of QF & its murderous proxies in
    the region,” referring to the Quds Force — the foreign-
    facing branch of the Revolutionary Guards — & the proxy
    militias it oversees around the Middle East.

    On the day of the train attack, an announcement appeared
    on electronic timetable boards at R.R. stations across
    Iran saying: “Long delays due to cyberattacks.” The msg
    itself was the work of the hackers &, in a sardonic twist,
    it advised confused travelers to seek more info by calling
    64411, the office number of Iran’s supreme leader,
    Ayatollah Ali Khamenei.

    A day later, the Iranian Transport Ministry’s computer
    system was also hacked, severely disrupting operations.
    In both attacks, similar notices popped up on computer
    screens making clear that it was a hack, though there was
    no mention of Indra in the claims.

    Check Point said that its investigation found that the
    hackers engaged in intel gathering before their attack.
    An identical break-in tool was used for both hacks,
    disabling the computers by locking them & wiping their
    contents. The tool, called Wiper, is an advanced version
    of the same one that Indra has been using since 2019,
    acc. to Check Point.

    “What we're seeing here are patterns that are different
    from anything we have seen in the past in attacks executed
    by states,” said Cohen, adding that Indra had developed
    unique & exclusive attack tools & had demonstrated intel-
    gathering ability.

    He also said that the group appeared to be in the process
    of developing its abilities, but that it was still far
    from the level of sophistication of a state-run cyberassault.

    Their operations, Cohen said, appeared “more like a team
    of ideologically motivated youngsters with capabilities
    they have taught themselves in the cyberworld than like
    an orderly and organized body.”

    In 2019, Indra claimed that it had hacked the servers of
    the Fadel Exchange and Int'l Forwarding Co, a Syrian-
    based company dealing with int'l money transfers & foreign
    currency trading. Indra accused the company of helping to
    finance the Quds Force & Hezbollah.

    In 2020, Indra claimed that it had hacked the Syrian
    privately owned Cham Wings Airlines, which has been under
    U.S. Treasury sanctions since 2016 for aiding the Syrian
    govt in the country’s civil war.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)