Mysterious Hacker Group Suspected in July Cyberattack on Iranian Trains
By Ronen Bergman, 8/14/21, NY Times

TEL AVIV — When a cyberattack on Iran’s railroad system
last month caused widespread chaos with hundreds of trains
delayed or canceled, fingers naturally pointed at Israel,
which has been locked in a long-running shadow war w/Tehran.

But a new investigation by an Israeli-American cybersecurity
co, Check Point Software Technologies, concluded that a
mysterious group opposed to the Iranian govt was most likely
behind the hack. That is in contrast to many previous cyber-
attacks, which were attributed to state entities. The group
is known as Indra, named after the god of war in Hindu myth.

“We've seen many cyberattacks connected with what are
believed to be professional intel or military units,” said
Itay Cohen, a senior researcher at Check Point. “But here,
it seems to be something else entirely.”

The company’s report, which was reviewed by The NY Times,
said the attack was a cautionary tale: An opposition group
without the budget, personnel or abilities of a govt could
still inflict a good deal of damage.

Iran & its nuclear program have been the target of a series
of cyberattacks over recent years, including a campaign
from 2009-10 directed by Israel & the US against a uranium
enrichment facility.

Tehran, in turn, has been accused of hacking other govts,
cybersecurity companies & websites over the past decade.
In one instance, the US accused computer specialists who
regularly worked for Iran’s Islamic Revolutionary Guards
Corps of carrying out cyberattacks on dozens of American
banks & trying to take over the controls of a small dam
in a suburb of New York City.

In cases where Iran has acknowledged it was a victim of
a cyberattack, it usually accused foreign countries. But
after the attack on July 9 on the railway system, Tehran
didn't blame anyone & there was no claim of responsibility.

Check Point said the hack bore striking similarities to
others against companies connected to the Iranian govt
that Indra had claimed in 2019 & 2020.

“It's very possible that Indra is a group of hackers,
made up of opponents of the Iranian regime, acting from
either inside or outside the country, that has managed to
develop its own unique hacking tools & is using them very
effectively,” Cohen said.

Such a group could still be backed by a state, or its
name could be used as a cover for one, but Check Point &
other experts said they had found no indication of that.

Ari Eitan, the VP of research at Intezer, a NY-based co
that specializes in the comparison of codes in different
cyberweapons, also said there was a strong link between
the tools & methods used in the July train hack & past
hacks claimed by Indra.

“They share code genes that were not seen anywhere else
but in these attacks, & the files used last July are an
updated & improved version of those used in 2019 & 2020,”
he said. “Based on the code connections, it’s safe to
assume the same group is behind all attacks.”

Indra first surfaced on social media shortly before its
first hacking claim in 2019 & has since posted in English
& Arabic. It has claimed responsibility for a series of
attacks targeting companies linked to Iran & its proxies,
like Hezbollah, the Lebanese militant group.

The group’s Twitter account says its mission is to “bring
a stop to the horrors of QF & its murderous proxies in
the region,” referring to the Quds Force — the foreign-
facing branch of the Revolutionary Guards — & the proxy
militias it oversees around the Middle East.

On the day of the train attack, an announcement appeared
on electronic timetable boards at R.R. stations across
Iran saying: “Long delays due to cyberattacks.” The msg
itself was the work of the hackers &, in a sardonic twist,
it advised confused travelers to seek more info by calling
64411, the office number of Iran’s supreme leader,
Ayatollah Ali Khamenei.

A day later, the Iranian Transport Ministry’s computer
system was also hacked, severely disrupting operations.
In both attacks, similar notices popped up on computer
screens making clear that it was a hack, though there was
no mention of Indra in the claims.

Check Point said that its investigation found that the
hackers engaged in intel gathering before their attack.
An identical break-in tool was used for both hacks,
disabling the computers by locking them & wiping their
contents. The tool, called Wiper, is an advanced version
of the same one that Indra has been using since 2019,
acc. to Check Point.

“What we're seeing here are patterns that are different
from anything we have seen in the past in attacks executed
by states,” said Cohen, adding that Indra had developed
unique & exclusive attack tools & had demonstrated intel-
gathering ability.

He also said that the group appeared to be in the process
of developing its abilities, but that it was still far
from the level of sophistication of a state-run cyberassault.

Their operations, Cohen said, appeared “more like a team
of ideologically motivated youngsters with capabilities
they have taught themselves in the cyberworld than like
an orderly and organized body.”

In 2019, Indra claimed that it had hacked the servers of
the Fadel Exchange and Int'l Forwarding Co, a Syrian-
based company dealing with int'l money transfers & foreign
currency trading. Indra accused the company of helping to
finance the Quds Force & Hezbollah.

In 2020, Indra claimed that it had hacked the Syrian
privately owned Cham Wings Airlines, which has been under
U.S. Treasury sanctions since 2016 for aiding the Syrian
govt in the country’s civil war.

https://www.nytimes.com/2021/08/14/world/middleeast/iran-trains-cyberattack.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)