Indra hacking group blamed for attack on Iranian railway system that trolled country’s supreme leader

Indra hacking group blamed for attack on Iranian railway system that trolled country's supreme leader

On 9 July, Iran’s railroad system came under attack from hackers.

The attackers posted messages on station departure boards warning of “long delay[s] because of cyberattack”, and suggesting inconvenienced passengers call “64411” for more information.

64411 is reportedly the telephone number of the office of Ayatollah Ali Khamenei, Iran’s supreme leader.

The following day, Iran’s transport ministry said that its computer systems and website had suffered “widespread disruption…probably due to a cyberattack.”

Iran attack pc

An analysis by experts at Sentinel One pointed the finger of blame towards MeteorExpress (also known as Meteor), a previously unseen type of wiper malware that wiped computer file systems and locked out users.

Inevitably, Iran wasn’t terribly pleased about having its systems attacked by the hackers, and there have been reports that a subsequent drone attack by Iran against an Israeli-operated oil tanker, which resulted in the death of two crew members, might have been launched in a tit-for-tat response to the cyber attack.

However, an investigation by security researchers at Check Point has concluded that the attack was the work of a hacking gang called Indra that works against the Tehran regime, rather than an attack sponsored by a nation state such as Israel.

Sign up to our free newsletter.
Security news, advice, and tips.

Was it Israel? Was it Indra? Was it Indra working under the orders of Israel?

It’s hard to be certain.

But whoever was responsible for the attack on Iran’s train system which trolled the country’s supreme leader should probably consider that it’s no laughing matter, and that things could very quickly and seriously escalate.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.