Hackers behind Iranian wiper attacks linked to Syrian breaches

Image: Avi Richards

Destructive attacks that targeted Iran’s transport ministry and national train system were coordinated by a threat actor dubbed Indra, who previously deployed wiper malware on the networks of multiple Syrian organizations.

Last month, Iran’s railways and transport ministry were hit by a cyberattack that took down their websites and disrupted train service throughout the country. 

“The attacks on Iran were found to be tactically and technically similar to previous activity against multiple private companies in Syria which was carried at least since 2019,” Check Point Research analysts who made the connection said.

“We were able to tie this activity to a threat group that identify themselves as regime opposition group, named Indra.”

The attackers deployed a previously unseen file wiper called Meteor on the targets’ systems. They displayed messages on the railway’s message boards saying that the trains were canceled or delayed, asking passengers to the office of Supreme Leader Ali Khamenei for more information.

Hacktivist or cybercrime group targeting IRGC-affiliated entities

Wipers, Nuke-it-From-Orbit-ware as Check Point Research called them, are designed to destroy data or brick breached devices, usually as cover for other attacks taking place at the same time.

Indra developed and deployed at least three different variants of a wiper dubbed Meteor, Stardust, and Comet on victims’ networks throughout the years since they first surfaced in 2019.

Despite this, the group’s modus operandi, the quality of their tools, and willingness to claim attacks on social media make it unlikely that Indra is a nation-state sponsored threat actor.

However, as SentinelOne security researcher Juan Andres Guerrero-Saade observed in a report analyzing the Iranian attack published two weeks ago, the threat actor was able to remain undetected during the reconnaissance phase of their attack despite showing a general lack of skill. 

“There’s feature redundancy between different attack components that suggests an uncoordinated division of responsibilities across teams,” Guerrero-Saade said. “And files are dispensed in a clunky, verbose, and disorganized manner unbecoming of advanced attackers.”

Regardless of their skill level, Indra identify themselves as a group opposing the Iranian regime. Based on Iranian media reports from last year, they also have ties to cybercriminal or hacktivist groups that target entities affiliated with the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces.

Iranian wiper attacks remain unclaimed

Indra has previously shared successful attacks on social media on multiple platforms, including Twitter, Facebook, Telegram, and Youtube.

Based on the group’s social media activity of Indra since 2019, Check Point Research found that Indra has claimed the following attacks:

• September 2019: an attack against Alfadelex Trading, a currency exchange and money transfer services company located in Syria.
• January 2020: an attack against Cham Wings Airlines, a Syrian-based private airline company.
• February 2020 and April 2020: seizure of Afrada’s and Katerji Group’s network infrastructure. Both companies are situated in Syria as well.
• November 2020: Indra threatens to attack the Syrian Banias Oil refinery, though it is not clear whether the threat was carried out.

However, the hacking group chose not to take responsibility for last month’s attacks against the Iranian Railways and the Ministry of Roads and Urban Development.

Despite this, Check Point Research was able to find multiple similarities (the tools and Tactics, Techniques and Procedures (TTP), and the attack’s highly targeted nature) directly connecting them with these incidents.