Cyber Incident Victim: Iran
Date:
Jan 2024
Location:
Iran
Summary
A cyberattack attributed to the hacker group APT Iran compromised the Railway Company's infrastructure, resulting in the leak of internal directives mandating Islamic attire for female employees, identity documents, operational reports, and wagon maps. The group claimed the breach exposed security vulnerabilities following prior incidents targeting telecommunications and property registration entities, while Iranian authorities downplayed the intrusion's severity. This incident aligns with a pattern of cyber intrusions against government systems, including past disruptions to rail operations and recent breaches of judicial and parliamentary servers that revealed sensitive financial and sanction-related documents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2024, the hacker group APT Iran infiltrated the cyber infrastructure of Iran's Railway Company, marking another attack on Iranian government networks. The breach exposed internal documents, including a directive signed by Mohsen Tabatabaei Atabak, Director General of Planning and Monitoring of Passenger Services, which mandated Islamic attire for female employees. The guidelines specified requirements for "loose and long garments made of thick fabrics" and complete hair coverage. Additionally, the hackers leaked identity documents, internal reports, and wagon maps. APT Iran claimed the attack aimed to alert railway officials about persistent security vulnerabilities, referencing prior breaches at IranCell Communication Services Company and the State Organization for Registration of Deeds and Properties. Iran’s Cyberban News Agency confirmed the hack but downplayed its severity, dismissing reports of infrastructure disruption as propaganda. The incident followed a pattern of cyber intrusions against Iranian state entities, including a July 2021 attack by Gonjeshk-e-Darande that disrupted railway operations by infiltrating the Ministry of Roads and Urban Development, forcing a temporary shift to manual train management.
This incident occurred amid escalating cyber assaults on Iranian institutions. One month prior, the hacktivist group Edalat-e Ali breached servers of the Iranian judiciary, accessing millions of confidential files. Similarly, a major hack of the parliament’s servers the previous month exposed lawmakers’ incomes and evidence of US sanctions evasion. Cyber expert Amin Sabeti noted that such attacks were likely to persist due to ongoing civil unrest. The railway breach highlighted recurring security weaknesses, as APT Iran exploited similar vulnerabilities previously identified in other government agencies. No operational disruptions to train services were confirmed, but the leak of sensitive documents underscored risks to data integrity and institutional credibility. The Cyberban News Agency’s dismissal of infrastructure impacts contrasted with the hackers’ claims of exposing systemic flaws, reflecting the ongoing tension between official narratives and activist disclosures in Iran’s cyber conflict landscape.