Threat Actor

Indra is a politically motivated group of hackers who has operated since 2019. Indra developed and deployed at least three different variants of a wiper dubbed Meteor, Stardust, and Comet on victims' networks throughout the years since they first surfaced in 2019. Despite this, the group's modus operandi, the quality of their tools, and willingness to claim attacks on social media make it unlikely that Indra is a nation-state sponsored threat actor.

While the group deployed wiper malware on the networks of multiple Syrian organizations, it has managed to stay under the radar until the Iran Rail Attack in 2021 - even though the group has not taken responsibility for this attack on Iran, the multiple similarities in tactics and techniques indicate otherwise.

INDRA’s official twitter account states that they are “aiming to bring a stop to the horrors of QF and its murderous proxies in the region” and they claim to be very focused on attacking different companies who allegedly cooperate with the Iranian regime, especially with the Quds-Force and Hezbollah. Their posts are all written in English or Arabic (both don’t seem to be their native language). The group called themselves Indra, after the Hindu god of war.

Incidents Associated with this Threat

Malware Used by this Threat Actor