Meet Indra: Uncovering the Hackers Behind Attacks on Iran Railways
Itay Cohen, Alexandra Gofman
Check Point
Abstract:
On Friday, July 9th, Iran’s railway infrastructure came under cyber-attack. Hackers displayed messages about train delays or cancellations on information boards at stations across the
country and urged passengers to call a certain phone number for further information. This number apparently belongs to the office of the country’s supreme leader, Ayatollah Ali Khamenei. The very next day, the websites of Iran’s Ministry of Roads and Urbanization went out of service. Photographs from the “crime scene” were leaked on social media showing a message that was left by the attackers:
“We have cyber-attacked the computer systems of the Railway Company and the Ministry of Roads and Urban Development!
This message is for the administrator:
Do not extend your legs beyond your rug”
This attack raised many questions – Who’s behind this attack? What are the tools used and did we see them in other attacks? Why would someone do a cyber-attack on public infrastructure in such a loud and sarcastic manner?
We analyzed the artifacts left by the attackers in an urge to find the answers. The investigation eventually led us to a politically motivated group of hackers named “Indra”. The group has operated since 2019 and despite few successful attacks against targets in Syria managed to stay under the radar until now.
Join us as we follow the trail of breadcrumbs that ultimately led us to uncover Indra. We will describe and explain our analysis and the methods we used to track Indra’s footsteps — from deploying wipers against private Syrian companies connected to Iran and Quds Force, to causing a disruption in Iran Railways and Government network. We will show the evolution of their tools and targets, and discuss their motives as can be learned from their social media accounts.
Sponsors & Partners
Platinum
Sponsor
Gold
Sponsor
Associate
Partner
Supporting
Partner
Media
Partner