Welcome to the VB2021 conference!

arrow left Back

Meet Indra: uncovering the hackers behind attacks on Iran Railways

18:15 - 18:45 Fri 8 Oct 2021
Itay Cohen (Check Point) & Alexandra Gofman (Check Point)
On Friday, July 9th, Iran’s railway infrastructure came under cyber-attack. Hackers displayed messages about train delays or cancellations on information boards at stations across the country and urged passengers to call a certain phone number for further information. This number apparently belongs to the office of the country’s supreme leader, Ayatollah Ali Khamenei. The very next day, the websites of Iran’s Ministry of Roads and Urbanization went out of service. Photographs from the “crime scene” were leaked on social media showing the message that was left by the attackers:

    “We have cyber-attacked the computer systems of the Railway Company and the Ministry of Roads and Urban Development! This message is for the administrator: Do not extend your legs beyond your rug”


This attack raised many questions: Who's behind this attack? What are the tools used and have we seen them in other attacks? Why would someone launch a cyber-attack on public infrastructure in such a loud and sarcastic manner?

Check Point Research analysed the artifacts left by the attackers in a quest to find the answers. The investigation eventually led us to a politically motivated group of hackers named “Indra”. The group has operated since 2019 and, despite a few successful attacks against targets in Syria, has managed to stay under the radar until now.

Join us as we follow the trail of breadcrumbs that ultimately led us to uncover Indra. We will describe and explain our analysis and the methods we used to track Indra’s footsteps — from deploying wipers against private Syrian companies connected to Iran and Quds Force, to causing a disruption in Iran Railways and the government network. We will show the evolution of their tools and targets, and discuss their motives as can be learned from their social media accounts.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, contact Itay Cohen on Twitter at @megabeets_.
Itay Cohen
Check Point

Itay Cohen (a.k.a. Megabeets) is a senior security researcher and a reverse engineer in the Malware and Vulnerability Research Group at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of a security blog focused on making advanced security topics accessible for free. Itay is a maintainer of the open-source reverse engineering frameworks Rizin and Cutter. In his free time, he loves to participate in CTF competitions and contribute to open-source projects.

Alexandra Gofman
Check Point

Alexandra Gofman is a cyber researcher in the Threat Intelligence Analysis Team at Check Point Research. Her research includes APT attacks, cybercrime, malware analysis, and cyber threat intelligence. Alexandra speaks Russian, English and Hebrew and holds a Master's degree in engineering physics.