A month ago, Iran's railways and transport ministry were targeted in a cyberattack, leaving the transportation system stranded. These targeted attacks aimed at Iran's transport ministry and national railway system have been linked with the Indra threat group. Earlier, the threat group had used a wiper on the networks of various Syrian entities.
Attack on Iranian infrastructure
In July, the Iranian Ministry of Roads and Urban Development and railways systems were targeted in cyberattacks
- According to CheckPoint Research, attackers behind the operation used the same tactic as in the previous attacks aimed at private businesses in Syria.
- Numerous pieces of evidence suggested that these recent attacks are mostly based on the attacker’s reconnaissance of the targeted networks and previous knowledge.
- Since 2019, the attackers have disseminated three different versions of Meteor, Stardust, and Comet wipers into the victim's network.
- Various artifacts examined during the analysis of two Stardust wiper operations revealed that Katerji Group and its associated companies Arfada Petroleum (located in Syria) were the targets.
Further examining the quality of the tools, modus operandi, and their activity on social media, it is believed that Indra is a threat group without any nation-state support.
Additional insights
A report from SentinelOne analyzed that the group stayed undetected during the reconnaissance phase of the attack chain even though it lacked the pertinent skills.
- The group’s different attack components are feature redundant and files are distributed in a disorderly manner, which hints at an uncoordinated divide of responsibilities in teams.
- Moreover, Indra claims to be unsupportive of the Iranian regime and has relations with hacktivist groups that target entities related to the Islamic Revolutionary Guard Corps (IRGC).
Conclusion
Indra has been active for the past two years and is continuously developing its tools and using different wipers for various attacks. Even though the group has not taken responsibility for the recent attack on Iran, the multiple similarities in tactics and techniques indicate otherwise.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e566_shutterstock_1873571626.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9610_shutterstock_1780692080.png)
