Connect with us

Hi, what are you looking for?



Details Emerge on Iranian Railroad Cyberattack



More details on the cyberattack on Iran’s railroad system emerged over the weekend. On Friday, July 9, 2021 Iran International reported that a system-wide disruption of Iran’s railroads was probably due to a cyberattack, citing the Revolutionary Guard-backed FARS news agency. Now it appears that the attackers had penetrated the system at least a month earlier.

The first report explained that hundreds of operations on the railroads had been delayed or cancelled with thousands of passengers stranded. The Iranian national railroad website was unavailable, but it isn’t clear whether it was taken down by the authorities or the hackers. 

Similarly, it wasn’t clear whether a message posted on station notice boards was official or from the hackers, although attackers had previously taken control of announcements at two airports and posted anti-government messages. The railroad message merely stated, “Long delays due to cyberattack”, adding a phone number.

According to Iran International, “The number might belong either to the office of President Hassan Rouhani or Supreme Leader Ali Khamenei. It is not clear if hackers have posted the information or the authorities.” It would be reasonable to assume, however, that the attack was at least partly designed to embarrass the incoming new hardline president, Ebrahim Raisi, before he takes over from the moderate Hassan Rouhani next month. The newspaper comments that Iran “periodically becomes a target of hackers from other countries, particularly Israel.”

Israel is largely considered to be responsible – especially within Israeli media – for a blackout at Iran’s Natanz atomic facility in April 2021. Neither Israel nor Iran have baulked against attacking critical infrastructures in the Middle East. Transport is part of a critical infrastructure. If this attack were state backed from anywhere other than Israel, it could be considered an escalation of cyber activity. The possibility of state involvement gains some credence from the lack of any apparent financial motive – pointing the finger at either a state or activist motivation.

On Sunday July 16, 2021, Iran International reported further details on the railroad attack from “an information security office at the presidential administration.” The attackers apparently penetrated the system in early June, and had been preparing the payloads from late June onwards.

The attack vector seems to be inadequate security from users working from home and not observing security protocols, but was exacerbated by “existing weaknesses in the systems, not guarding passwords, not updating antivirus software and insufficient investment in cyber security.”

Advertisement. Scroll to continue reading.

Once the attackers had gained access, they began changing the loading protocols and user passwords. They also prevented the ability of admins to access the system remotely, and they disabled recovery systems.

While the attack may have been to embarrass the incoming president, it could simply have been a reprisal attack in response to continuing Iranian cyberattacks against other countries. In April, Israel accused Iran of using fake social media accounts to lure citizens of the Jewish state abroad “to harm or abduct them”.

In May 2021, Sentinel Labs reported that the Iranian state backed Agrius group had deployed wiper attacks masquerading as ransomware against Israeli targets.

In general, Iran is considered to be the West’s third most sophisticated and active cyber adversary, behind China and Russia. Actions against it are not limited to those from Israel. On June 22, 2021, the U.S authorities seized a range of Iran’s state-linked news websites they accused of spreading misinformation. 

Thirty-three of the seized sites were used by the Iranian Islamic Radio and Television Union, and were accused of spreading disinformation designed to sow discord among U.S. voters ahead of the 2020 elections. Three others were operated by Kata’ib Hizballah, which was designated a foreign terror organization more than ten years ago.

Related: Bitter Israel-Iran Rivalry Takes New Forms Online

Related: Iranian Hackers Target Journalists in New Phishing Campaign

Related: Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Related: U.S. Struck Iranian Military Computers This Week: AP Sources

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.