Check Point: Dissident group hacked Iran’s trains, not Israel

A cyberattack on Iran's train system was conducted by a non-state actor, and demonstrated how non-state groups could cause severe damage to states.

Fire at petrochemical plant in Asaluyeh in southern Iran, May 26, 2021 (photo credit: FARS NEWS AGENCY)
Fire at petrochemical plant in Asaluyeh in southern Iran, May 26, 2021
(photo credit: FARS NEWS AGENCY)

An Iranian dissident group called Indra executed the mega hack on the Islamic Republic’s train system on July 9 and not Israel, the American cybersecurity company Check Point Software Technologies reported on Saturday.

Check Point said Indra’s hack of Iran’s train system was “an example for governments around the world of how a single group can create disruption on critical infrastructure.”

Part of what was so unusual about the attack was that it was a non-state organization inflicting nation-state-level damage on Iran’s physical infrastructure.

If non-state groups are traditionally thought of as lacking the capability to do more than hack websites and data, this was an example of such a group causing profound real-world damage.

Indra’s tools destroyed data without direct means to recover it by using a “wiper,” or malware designed to wipe the entire data system of critical infrastructure, making the recovery process complicated, locking users out of machines, changing passwords, and replacing wallpapers to custom messages crafted by attackers.

Part of the attack included the posting of fake messages about train delays and cancellations on terminals display boards across Iran.

Another message urged passengers to call the office of Iran Supreme Leader Ayatollah Ali Khamenei for more information, although the public did not know who it was they were all calling.

This was an instance in which Iran admitted that its transportation website and other systems had been substantially disrupted.

So significant was the chaos caused by the attack, and so certain was Tehran that Jerusalem was the cyber attacker, that reportedly the ayatollahs subsequently ordered the drone attack on the Israeli-owned oil tanker MT Mercer Street on July 29.

Check Point said that it knew that Indra was the hacker by comparing it with previous hacks “against multiple companies in Syria in 2019 and 2020.”


Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


Two of the companies in Syria that have been hacked, Katerji Group and Arfada Petroleum, are on the US sanctions list.

In 2009-2010, Iran’s nuclear facility at Natanz was hit by the Stuxnet computer virus, attributed by most to Israel and the US, and which damaged more than 1,000 uranium enrichment centrifuges.

Israel and Iran have also accused each other of trading cyber attacks on infrastructure against each other in April-May 2020, and the Islamic Republic has accused Israel of hacking its Saviz intelligence sea vessel in April.