After Iranian-on-Iranian Cyberattacks, pro-Iran Hackers Claim ‘Tel Aviv Metro’ Hit

The state-owned company building the Tel Aviv Light Rail – which is still under construction – said its website briefly went down, but hackers didn't gain access to any information

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
Construction of the Tel Aviv Light Rail on Yehuda Halevi Street in 2019.
Construction of the Tel Aviv Light Rail on Yehuda Halevi Street in 2019.Credit: Tomer Appelbaum
Omer Benjakob
Omer Benjakob

Pro-Iranian hackers launched a cyberattack Monday on what they described as “the Tel Aviv metro” – the light rail system under construction – the latest in a long list of incursions either linked to Iranians or aimed at Iran.

Tel Aviv does not have a subway, and the state-owned company building the city’s light rail said its website briefly went down due to an attack.

Israel and Iran have long been fighting a proxy war in cyberspace. This includes recent attacks against Iranian companies by other Iranians, most likely dissidents or hackers masquerading as dissidents. There have also been attacks that Iran attributes to Israel.

On Telegram and Twitter on Monday, accounts linked to small-time hacking groups affiliated with Iran or with purported pro-Iranian cybermilitias published screenshots of what they called an “attack” on the “Tel Aviv metro.”

The screen captures showed images of the light rail system under construction, as well as IP addresses purportedly linked to it.

A post by pro-Iranian hackers claiming an "attack" on the "Tel Aviv metro."Credit: Screen capture

The Tel Aviv Light Rail is being built by the state-owned company NTA, which says it’s in charge of “the design and construction of a mass transit system for the Tel Aviv metropolis.”

In a statement, the company said that “this morning a malfunction was found in the NTA internet system. An examination revealed the website was attacked using a DDOS attack originating from abroad.” So-called distributed denial-of-service attacks are considered the simplest form of cyberattack; a website is bombarded with traffic and queries with the goal of sending it offline.

In its statement, NTA said the site was only down for a few minutes, with its defensive cybersystems preventing any real damage to the site, which the company said was operated by a third-party vendor. The hackers did not gain access to any information, NTA said.

“NTA is preparing for additional attacks together with the cyber authority and is acting according to its instructions,” the company said.

Sources in the industry stress that this was a very small attack – a similar one, they note, took place against an Israeli food-takeaway website just last week.

But there have been many attacks; Iranian hackers have taken control of the email accounts of senior Israeli figures and impersonated them, the Israeli cybersecurity company Check Point Software Technologies said last month.

Check Point is one of the most prominent defensive cyber firms in the world.

Check Point is one of the most prominent defensive cyberfirms in the world. Its Check Point Research arm has found that a recent attack on Iran’s Khouzestan Steel Company used similar methods as in attacks on the Iranian Offshore Oil Company, Iran’s Roads and Urban Development Ministry and the country’s rail system.

Past attacks by the group Indra on Iranian sites led victims to this screen.Credit: Check Point Research

These incursions took place in 2019 and were linked to a group called Indra. The so-called hacktivist group’s attacks prompted a video on their victims’ screens, as did the recent attack on the steel company.

The attackers also referred their victims to the phone number 64411, which leads to the office of Iran’s supreme leader. Researchers thus assumed that the incursion was either by Iranian dissidents or people trying to pass themselves off as Iranians.

A recent attack by hackers on an Iranian steel company led victims to an almost identical screen.Credit: Check Point Research

“The recent attack joins a flood of attacks conducted by groups portraying themselves as ‘hacktivists’ against the [Iranian] regime,” Check Point researchers wrote. “The number of attacks, their success and their quality can suggest that they were conducted by an advanced attacker or attackers, perhaps a nation-state with an interest to sabotage Iran’s critical infrastructure.”

Click the alert icon to follow topics:



Automatic approval of subscriber comments.
From $1 for the first month

Already signed up? LOG IN


The Orion nebula, photographed in 2009 by the Spitzer Telescope.

What if the Big Bang Never Actually Happened?

Relatives mourn during the funeral of four teenage Palestinians from the Nijm family killed by an errant rocket in Jabalya in the northern Gaza Strip, August 7.

Why Palestinian Islamic Jihad Rockets Kill So Many Palestinians

בן גוריון

'Strangers in My House': Letters Expelled Palestinian Sent Ben-Gurion in 1948, Revealed


AIPAC vs. American Jews: The Toxic Victories of the 'pro-Israel' Lobby

Bosnian Foreign Minister Bisera Turkovic speaks during a press conference in Sarajevo, Bosnia in May.

‘This Is Crazy’: Israeli Embassy Memo Stirs Political Storm in the Balkans

Hamas militants take part in a military parade in Gaza.

Israel Rewards Hamas for Its Restraint During Gaza Op