{
	"id": "5be76fef-9b76-4e15-9aa7-916cd7e3c999",
	"created_at": "2026-04-06T00:14:26.658643Z",
	"updated_at": "2026-04-10T03:35:19.89909Z",
	"deleted_at": null,
	"sha1_hash": "df32fb0b116cdbb1dbbeaa8ec4feefec890f812f",
	"title": "Indra Group Attack on Iran Highlights the Threats to Global Critical Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39164,
	"plain_text": "Indra Group Attack on Iran Highlights the Threats to Global\r\nCritical Infrastructure\r\nBy etal\r\nPublished: 2021-08-14 · Archived: 2026-04-05 17:19:04 UTC\r\nCheck Point Research (CPR) warns governments everywhere of the importance of protecting critical\r\ninfrastructure, as it learns that the July 9 cyber attack on Iran’s train system was carried out by Indra, a\r\ngroup that identifies itself as regime opposition and has the capability to wipe out data without direct means\r\nfor recovery.\r\nCPR analyzed artifacts left by the July 9 cyber attack on Iran’s train system, attributing the attacks to a\r\ngroup that self-identifies as Indra\r\nCPR confirms that Indra was also responsible for cyber attacks against multiple companies in Syria in 2019\r\nand 2020\r\nCPR cites cyber attack on Iran’s train system as an example for governments around the world of how a\r\nsingle group can create disruption on critical infrastructure\r\nCheck Point Research (CPR) has attributed the recent cyber attacks on Iran’s train system to a group called Indra\r\nthat self-identifies as opposition. Under the radar since 2019, Indra has been confirmed by CPR to be responsible\r\nfor multiple cyber attacks carried out against companies in Syria. Two of the victims, Katerji Group and Arfada\r\nPetroleum, are on the US sanctions list.\r\nOn July 9, local news outlets began reporting on a cyberattack targeting the Iranian train system, with hackers\r\ndefacing display screens in train stations by asking passengers to call ‘64411’, the phone number of Iranian\r\nSupreme Leader Khamenei’s office. Train services were disrupted and just a day later, hackers took down the\r\nwebsite of Iran’s transport ministry. According to news outlets, the ministry’s portal and sub-portal sites went\r\ndown after the attack targeted computers at the Ministry of Roads and Urban Development.\r\nCPR analyzed artifacts left by the cyber attack on Iran’s train system, learning that the attack tools were\r\ntechnically and tactically similar to those used in malicious activity against multiple companies in Syria.\r\nComplicated Recovery Process\r\nIndra’s tools destroyed data without direct means to recover it. To carry out its cyber attacks, Indra ran what’s\r\nknown as a “wiper”, malware designed to wipe the entire data system of critical infrastructure, making the\r\nrecovery process complicated, locking users out of machines, changing passwords and replacing wallpapers to\r\ncustom messages crafted by attackers.\r\nConcern over Replication\r\nCPR is concerned about the damage and disruption a single entity or group, such as Indra, can cause to critical\r\ninfrastructure around the globe, as Indra’s methods managed to infiltrate several sensitive and critical networks in\r\nhttps://blog.checkpoint.com/2021/08/14/indra-group-attack-on-iran-highlights-the-threats-to-global-critical-infrastructure/\r\nPage 1 of 2\n\nIran and Syria, potentially harming human life.\r\nWe now live in an age where critical infrastructure in any corner of the world can easily be disrupted. If it can\r\nhappen in Tehran, it can happen in Toronto, Tokyo, or San Francisco. What’s most alarming to us is that a single\r\ngroup infiltrated and caused massive damage to critical infrastructure, potentially harming human life.\r\nGovernments around the world should take the recent cyber attack on Iran’s train system as an example of how\r\ndisruption can be created by hackers, not by penetrating entire strategic infrastructures, but by simply creating\r\ndamage on screens or another visual focal point. This case in Iran is just one example, and can happen in any other\r\ncountry in the world. Check Point strongly recommends governments everywhere maintain the latest security\r\npatches and data backups, improve personal cyber-awareness training, and install anti-ransomware solutions.\r\nSecurity and Protection Tips for Governments\r\n1. Enact a disaster recovery plan. Make sure your organization or institution implements an effective\r\ndisaster recovery plan, especially if it provides or supports any critical infrastructure. Such plan should\r\nusually include a full backup plan as well, as secondary networks should be activated in case of\r\nmalfunction in the primary systems.\r\n2. Be up-to-date. Make sure your systems are up to date and all recent security patches have been installed\r\nand deployed.\r\n3. Leverage 3rd party security software. Use third party protection software to help protect against threat\r\nsuch as ransomware, wipers and many other attack vectors that might lead to disruption of your business.\r\nFor more technical details, please visit the CPR blog.\r\nSource: https://blog.checkpoint.com/2021/08/14/indra-group-attack-on-iran-highlights-the-threats-to-global-critical-infrastructure/\r\nhttps://blog.checkpoint.com/2021/08/14/indra-group-attack-on-iran-highlights-the-threats-to-global-critical-infrastructure/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/2021/08/14/indra-group-attack-on-iran-highlights-the-threats-to-global-critical-infrastructure/"
	],
	"report_names": [
		"indra-group-attack-on-iran-highlights-the-threats-to-global-critical-infrastructure"
	],
	"threat_actors": [
		{
			"id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3",
			"created_at": "2022-10-25T16:07:23.729215Z",
			"updated_at": "2026-04-10T02:00:04.729076Z",
			"deleted_at": null,
			"main_name": "Indra",
			"aliases": [],
			"source_name": "ETDA:Indra",
			"tools": [
				"Stardust"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e",
			"created_at": "2026-03-16T02:02:50.582318Z",
			"updated_at": "2026-04-10T02:00:03.777263Z",
			"deleted_at": null,
			"main_name": "COASTLIGHT",
			"aliases": [
				"Gonjeshke Darande",
				"Indra",
				"Predatory Sparrow"
			],
			"source_name": "Secureworks:COASTLIGHT",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "219ddb41-2ea8-4121-8b63-8c762f7e15df",
			"created_at": "2023-01-06T13:46:39.384442Z",
			"updated_at": "2026-04-10T02:00:03.309654Z",
			"deleted_at": null,
			"main_name": "Predatory Sparrow",
			"aliases": [
				"Indra",
				"Gonjeshke Darande"
			],
			"source_name": "MISPGALAXY:Predatory Sparrow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775792119,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df32fb0b116cdbb1dbbeaa8ec4feefec890f812f.pdf",
		"text": "https://archive.orkl.eu/df32fb0b116cdbb1dbbeaa8ec4feefec890f812f.txt",
		"img": "https://archive.orkl.eu/df32fb0b116cdbb1dbbeaa8ec4feefec890f812f.jpg"
	}
}