More details on the cyberattack on Iran’s railroad system emerged over the weekend. On Friday, July 9, 2021 Iran International reported that a system-wide disruption of Iran’s railroads was probably due to a cyberattack, citing the Revolutionary Guard-backed FARS news agency. Now it appears that the attackers had penetrated the system at least a month earlier.
The first report explained that hundreds of operations on the railroads had been delayed or cancelled with thousands of passengers stranded. The Iranian national railroad website was unavailable, but it isn’t clear whether it was taken down by the authorities or the hackers.
Similarly, it wasn’t clear whether a message posted on station notice boards was official or from the hackers, although attackers had previously taken control of announcements at two airports and posted anti-government messages. The railroad message merely stated, “Long delays due to cyberattack”, adding a phone number.
According to Iran International, “The number might belong either to the office of President Hassan Rouhani or Supreme Leader Ali Khamenei. It is not clear if hackers have posted the information or the authorities.” It would be reasonable to assume, however, that the attack was at least partly designed to embarrass the incoming new hardline president, Ebrahim Raisi, before he takes over from the moderate Hassan Rouhani next month. The newspaper comments that Iran “periodically becomes a target of hackers from other countries, particularly Israel.”
Israel is largely considered to be responsible – especially within Israeli media – for a blackout at Iran’s Natanz atomic facility in April 2021. Neither Israel nor Iran have baulked against attacking critical infrastructures in the Middle East. Transport is part of a critical infrastructure. If this attack were state backed from anywhere other than Israel, it could be considered an escalation of cyber activity. The possibility of state involvement gains some credence from the lack of any apparent financial motive – pointing the finger at either a state or activist motivation.
On Sunday July 16, 2021, Iran International reported further details on the railroad attack from “an information security office at the presidential administration.” The attackers apparently penetrated the system in early June, and had been preparing the payloads from late June onwards.
The attack vector seems to be inadequate security from users working from home and not observing security protocols, but was exacerbated by “existing weaknesses in the systems, not guarding passwords, not updating antivirus software and insufficient investment in cyber security.”
Once the attackers had gained access, they began changing the loading protocols and user passwords. They also prevented the ability of admins to access the system remotely, and they disabled recovery systems.
While the attack may have been to embarrass the incoming president, it could simply have been a reprisal attack in response to continuing Iranian cyberattacks against other countries. In April, Israel accused Iran of using fake social media accounts to lure citizens of the Jewish state abroad “to harm or abduct them”.
In May 2021, Sentinel Labs reported that the Iranian state backed Agrius group had deployed wiper attacks masquerading as ransomware against Israeli targets.
In general, Iran is considered to be the West’s third most sophisticated and active cyber adversary, behind China and Russia. Actions against it are not limited to those from Israel. On June 22, 2021, the U.S authorities seized a range of Iran’s state-linked news websites they accused of spreading misinformation.
Thirty-three of the seized sites were used by the Iranian Islamic Radio and Television Union, and were accused of spreading disinformation designed to sow discord among U.S. voters ahead of the 2020 elections. Three others were operated by Kata’ib Hizballah, which was designated a foreign terror organization more than ten years ago.