Cyber Incident Victim: Train services in Iran
Date:
Jul 2021
Location:
Iran
Summary
A cyberattack disrupted train services in Iran, causing widespread delays and cancellations as hackers targeted ticket offices, the national railway's website, and cargo systems, leading to reported "unprecedented chaos" at stations across the country. Electronic boards displayed messages attributing the disruptions to cyberattacks and falsely listed the phone number of the country's supreme leader as a contact for assistance. While state media initially described significant operational impacts, railway officials later denied major delays and stated technicians were investigating the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 9, 2021, Iran's national railway system experienced widespread disruptions attributed to cyberattacks, causing significant delays and cancellations across train services. Hackers targeted critical infrastructure components, including ticket office operations, the railway's official website, and cargo transportation systems. Electronic information boards at stations displayed messages instructing travelers to contact a phone number falsely presented as a railway helpline, which instead connected to the office of Supreme Leader Ayatollah Ali Khamenei. State-affiliated media outlets, including IRIB state broadcaster and Fars News Agency, reported "unprecedented chaos" at stations nationwide as passengers faced uncertainty regarding schedules and ticket availability. Additional notices on station boards explicitly cited "long delays due to cyberattacks," confirming the technical nature of the disruption. The coordinated timing of these events during operational hours amplified passenger confusion and logistical challenges, particularly affecting intercity travel and freight movements.
Iranian authorities acknowledged the incident through state media channels while attempting to manage public perception. A spokesman for the state railway company confirmed technical teams were investigating the disruptions but contradicted earlier reports by denying the existence of major service delays. No immediate claims of responsibility emerged through official channels, though the deliberate redirection of passenger inquiries to the Supreme Leader's office suggested a politically motivated component to the attack. The incident exposed vulnerabilities in transportation infrastructure management systems, particularly the integration between public information displays and core scheduling operations. Service restoration timelines remained unspecified in initial reports, leaving passengers dependent on alternative transportation arrangements during the disruption period. Railway officials maintained operational oversight throughout the incident without implementing emergency public contingency protocols beyond technical remediation efforts.