Iranian hackers are attacking Syrian agencies

A security report notes that the recent attacks on Iran’s transport infrastructure were reportedly deployed by Indra, the same group of threat actors responsible for infecting the networks of multiple Syrian organizations, resulting in a power removal attack.

The report, published by Check Point Research, notes that these attacks are virtually identical to the malicious activity detected in Syria during 2019: “We can link this activity to the threat group known as Indra, which identifies itself as opposition to the regime,” the report says.

Those responsible for the attack on the transport infrastructure in Iran employed a dangerous malware variant known as Meteor, capable of removing large random information on the affected systems. Wiper malware, identified as Nuke-it-From-Orbit-ware by Check Point Research, is designed to destroy compromised data or devices, which can be functional for covering up other attacks.

The researchers say Indra is responsible for the creation of at least three different wiper variants, identified as Meteor, Stardust and Comet. Although these are advanced ransomware variants, researchers rule out Indra being a group sponsored by national players.

On the other hand, researcher Juan Andrés Guerrero-Saade states that the threat actors behind these incidents were able to go unnoticed during the reconnaissance phase despite the fact that their methods of attack are unsophisticated.

Beyond the hackers’ questionable abilities, Indra has openly declared itself an opposition group to Iran’s government, so it could also have ties to cybercriminal groups affiliated with Islamic Revolutionary Guards Corps (IRGC), a major arm of Israel’s armed forces.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.