A Hacking Spree Against Iran Spills Out Into the Real World

On July 9 and 10 of this year, hackers disrupted Iranian train services and posted fake delay notices on digital billboards. “Long delays due to cyber attacks. More information: 64411,” read a message displayed on railway station signs. The phone number is linked to the office of Iran’s supreme leader, Ayatollah Ali Khamenei.

The railway attacks, according to analysis by Check Point that has subsequently been confirmed by New York–based threat intelligence company Intezer, was linked to a group of hackers dubbed Indra, after the Hindu god of war. The group has also conducted attacks in Syria, and is “unlikely” to be linked to a country, the analysis says. Check Point says that the little-known group appears to be “focused” on targeting entities that “cooperate with the Iranian regime,” and that it has also attacked a currency exchange and a Syria-based private airline, and threatened to attack a Syrian oil refinery in 2019 and 2020.

The office phone number was also briefly displayed on some gas station pumps in October, after a cyberattack paralyzed Iran’s 4,300 gasoline stations. Thousands of stations were offline for up to 12 days as the system behind government-issued smart cards, which allow people to buy subsidized fuel, was crippled. Motorists complained of chaos as they queued for hours waiting to refill their vehicles. The fuel attack happened around the second anniversary of the Iranian regime hiking fuel prices, then shutting down the internet after people protested the increases.

However, the gas station campaign appears to be separate from the attacks on the railway infrastructure. While an unknown group called Predatory Sparrow claimed responsibility, Iranian officials have said the attack was the work of a “state actor.” A New York Times report this weekend, citing unnamed US defense officials, linked the attack to Israel. Other recent targets include an Iranian airline, as well as the systems behind the country’s dams and water supplies, other reports say.

“Traditionally, these kinds of attacks are reserved to nation states because we are dealing with very complicated infrastructure,” Finkelstein says. Various groups have tried to claim responsibility for the attacks. However, multiple security experts point out that attribution lacks any published technical details from officials or the groups that claim to have conducted them.