14 DAY TRIAL // The cyberattack that crippled Iranian trains last month was recently attributed to the cybercriminal group Indra. The group is known for a series of attacks on several Syrian organizations using a wiper on the hacked networks, according to Cyware.
As expected, Indra denies any involvement in the latest attack on Iran. Then again, a large body of evidence suggests that the attackers were aware and had prior knowledge of the targeted networks. The attackers have distributed three different versions of Comet, Stardust, and Meteor wipers across victims' social media networks in the past couple of years.
According to CheckPoint research, the techniques employed are similar to those used by perpetrators in previous attacks on private companies in Syria. Some common elements of the Syria and Iran attacks are the script and archive files as their means of delivery as part of a multi-layered execution flow. Despite the fact that they were saved in various file formats, the said scripts performed almost the same functions. Another commonality of the attacks is that the wiper is the last payload to be downloaded and installed on the target computers.
Indra is not thought to be a state-sponsored cybercrime organization
There are noteworthy differences between the Iranian attacks and the Indra group's earlier attacks. For starters, after further examination of the quality of the tools, the modus operandi, and their activity on social media, it is considered that Indra is a threat organization that does not have the support of any nation-state.
Moreover, Indra has not taken public responsibility for the assaults in its prior operations. Another distinction is that the Syrian operations were targeted at private organizations, whereas the Iranian strikes targeted official Iranian entities.
Indra stated on Twitter that they are against the organizations affiliated with the Iranian regime mainly because of the crimes committed by Quds-Force and its other allies and that they will do everything to attack them.