Who done it? Israel not behind cyberattack on Iran, says report

The Iranian drone attack on the Israeli-linked tanker Mercer Street was likely a direct act of revenge for the cyberattack, which Iran incorrectly attributed to Israel.

By Josh Plank, World Israel News

In a report published Saturday, Check Point Software Technologies has revealed the identity of the group likely responsible for an early July cyberattack on Iranian infrastructure, for which Iran may have wrongly retaliated against Israel by attacking a tanker in the Gulf of Oman late last month.

On July 9 and 10, the computer systems of Iranian Railways and the Ministry of Roads and Urban Development came under attack. In addition to locking and wiping the contents of targeted computers, the hackers displayed the message, “Long delays due to cyberattacks,” on train station monitors across the country, urging passengers to call the telephone number of Iranian Supreme Leader Ali Khamenei.

“We were able to tie this activity to a threat group that identify themselves as regime opposition group, named Indra,” Check Point, an Israeli-American cybersecurity company, said in the report.

“While most attacks against a nation’s sensitive networks are indeed the work of other governments, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc, and harming critical infrastructure in order to make a statement,” the company said.

In this case, a cyberattack by Indra, an Iranian opposition group named after the Hindu god of war, may have unintentionally sparked a chain reaction between Iran and Israel.

Israel’s Channel 13 News reported last month that the Iranian drone attack on the Israeli-linked tanker Mercer Street was likely a direct act of revenge for the cyberattack, which Iran incorrectly attributed to Israel.

“We know how to send a message to Iran in our own way,” Prime Minister Naftali Bennett said after the drone attack, and some believe this threat was fulfilled last week with an explosion on an Iranian oil tanker at a Syrian port.

Indra, the group Check Point believes was really behind the cyberattack, has openly claimed responsibility for cyberattacks against Iranian interests in Syria as early as September 2019.

According to the group’s social media accounts, their goal is “to bring a stop to the horrors of QF [Quds Force, a branch of Iran’s Islamic Revolutionary Guard Corps] and its murderous proxies in the region.”

Check Point’s analysis of the malicious files used in the attacks revealed multiple similarities between the recent attack on Iranian infrastructure and Indra’s attacks on Syrian targets in 2019 and 2020.

“These are similarities in the tools, the Tactics, Techniques and Procedures (TTP), as well as in the highly targeted nature of the attack, and they make us believe that Indra is also responsible for the recent attacks in Iran,” the company said.

Check Point noted that, unlike previous operations, Indra has not publicly taken responsibility for the July cyberattack. “This might be explained by the seriousness of the new attacks, as well as their impact,” the company said.