Cyber Incident Victim: Iran
Date:
Dec 2024
Location:
Iran
Summary
A cyberattack attributed to the group APT Iran compromised the railway network's digital infrastructure, resulting in the leak of internal documents including employee conduct guidelines mandating Islamic attire for female staff, identity records, operational reports, and wagon maps. While officials downplayed the breach's severity, the hackers claimed it exposed systemic security vulnerabilities, referencing prior incidents targeting telecommunications and property registration entities. This intrusion aligns with a broader pattern of cyber assaults against government systems, following recent disruptions to judicial servers and historical railway operational sabotage by other hacktivist collectives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 1, 2024, hacker group APT Iran infiltrated the cyber infrastructure of Iran's Railway Company, marking another attack on Iranian government networks. The group leaked internal documents, including a directive signed by Mohsen Tabatabaei Atabak, Director General of Planning and Monitoring of Passenger Services, which mandated female employees to wear "loose and long garments made of thick fabrics" with complete hair coverage. Additional compromised materials included identity documents, internal reports, and wagon maps. Cyberban News Agency confirmed the breach but dismissed reports of impacts on main railway infrastructure as propaganda, downplaying the incident’s severity. APT Iran stated the attack aimed to expose security vulnerabilities following prior breaches at IranCell Communication Services Company and the State Organization for Registration of Deeds and Properties. The leak highlighted ongoing tensions over mandatory hijab policies and operational protocols within state-run entities. No immediate disruptions to train services were reported, contrasting with previous cyber incidents affecting physical operations. The breach underscored persistent weaknesses in Iran’s cybersecurity defenses, particularly within critical transportation sectors.
This incident follows a pattern of cyberattacks against Iranian government institutions. In July 2021, the Gonjeshk-e-Darande group disrupted railway operations by hacking the Ministry of Roads and Urban Development, forcing a switch to manual train management. More recently, the Edalat-e Ali group breached servers of the Iranian judiciary, accessing millions of confidential files. Last month, a separate hack of parliament servers exposed lawmakers’ incomes and sanctions evasion schemes. Cyber expert Amin Sabeti noted such attacks are likely to continue amid ongoing social unrest, reflecting hacktivists’ focus on exposing governance issues. The repeated targeting of transportation, judicial, and legislative systems demonstrates broad vulnerabilities across Iran’s digital infrastructure. While immediate operational impacts from the railway breach were limited, the exposure of sensitive employee guidelines and logistical documents eroded public trust and revealed internal security shortcomings. The incident added to a growing archive of leaked government materials used by opposition groups to critique state policies.