On Friday, July 9th, Iran’s railway infrastructure came under cyber-attack. Hackers displayed messages about train delays or cancellations on information boards at stations across the country and urged passengers to call a certain phone number for further information. This number apparently belongs to the office of the country’s supreme leader, Ayatollah Ali Khamenei. The very next day, the websites of Iran’s Ministry of Roads and Urbanization went out of service. Photographs from the “crime scene” were leaked on social media showing the message that was left by the attackers:

“We have cyber-attacked the computer systems of the Railway Company and the Ministry of Roads and Urban Development! This message is for the administrator: Do not extend your legs beyond your rug”

This attack raised many questions: Who's behind this attack? What are the tools used and have we seen them in other attacks? Why would someone launch a cyber-attack on public infrastructure in such a loud and sarcastic manner?

Check Point Research analysed the artifacts left by the attackers in a quest to find the answers. The investigation eventually led us to a politically motivated group of hackers named “Indra”. The group has operated since 2019 and, despite a few successful attacks against targets in Syria, has managed to stay under the radar until now.

Join us as we follow the trail of breadcrumbs that ultimately led us to uncover Indra. We will describe and explain our analysis and the methods we used to track Indra’s footsteps — from deploying wipers against private Syrian companies connected to Iran and Quds Force, to causing a disruption in Iran Railways and the government network. We will show the evolution of their tools and targets, and discuss their motives as can be learned from their social media accounts.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, contact Itay Cohen on Twitter at @megabeets_.