Iranian Railways 'MeteorExpress' wiper attack

On 9 July 2021, Iran's national railway network was paralyzed by a previously unknown destructive malware that researchers named Meteor — an attack dubbed "MeteorExpress" for its combination of technical sophistication and theatrical trolling.

What happened

The malware swept across the IT systems of the Islamic Republic of Iran Railways and the Ministry of Roads and Urban Development. Station departure boards were defaced to show messages about "long delays because of cyberattack" and instructed travelers to call 64411 for information — the publicly known phone number for the office of Supreme Leader Ali Khamenei, a deliberate humiliation of the regime. The ministry's website was taken offline, and hundreds of trains were delayed or canceled amid what Iranian media described as unprecedented chaos.

The malware

Analysts at SentinelLabs reverse-engineered a three-part toolkit deployed via batch scripts and password-protected RAR archives (password hackemall):

Meteor — the core wiper: it wiped the filesystem according to an encrypted configuration, deleted shadow copies to block recovery, detached machines from the Windows domain, corrupted boot sectors, and changed passwords.
mssetup.exe — a screen-locker that froze workstations.
nti.exe — a component that corrupted the master boot record (MBR), rendering machines unbootable.

The Meteor binary had been compiled on 17 January 2021, roughly six months before deployment, and showed signs of being engineered for reuse — suggesting a deliberate, well-resourced operation rather than opportunistic crime.

Impact

Iran's railway operations were disrupted nationwide; trains were halted, delayed, or canceled.
Affected machines were wiped and made unbootable, forcing manual recovery.
This was a destructive incident — not ransomware — with no data exfiltration or ransom: the objective was disruption and political embarrassment.

Attribution

SentinelLabs could not initially tie Meteor to any known actor. Subsequent research by Check Point linked the operation to a hacktivist persona called "Indra", which had previously targeted Iranian-aligned entities in Syria, suggesting an anti-regime actor rather than a nation-state — though attribution remains unconfirmed. The attack came amid a wider wave of strikes on Iranian infrastructure later associated with the Predatory Sparrow group.

Why it matters

MeteorExpress demonstrated that a single custom wiper could shut down a nation's rail system and that attackers were increasingly pairing destruction with psychological operations — mocking Iran's leadership directly on public infrastructure. It became a template for the infrastructure-disruption campaigns that would hit Iran's fuel network and steel plants over the following year.

Timeline

January 17, 2021

The Meteor wiper executable is compiled — roughly six months before deployment — indicating premeditated, reusable tooling.

July 9, 2021

The wiper detonates across Iranian Railways systems; station departure boards display delay messages and the phone number '64411', the office of Supreme Leader Khamenei.

July 9, 2021

Hundreds of trains are delayed or canceled and the Ministry of Roads and Urban Development website is knocked offline.

July 29, 2021

SentinelLabs publishes its analysis, naming the malware 'Meteor' and the incident 'MeteorExpress'; it cannot tie the attack to a known group.

August 1, 2021

Check Point links the operation to a hacktivist persona called 'Indra', previously active against Iranian-aligned targets in Syria.

Sources

sentinelone.comhttps://www.sentinelone.com/labs/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/

thehackernews.comhttps://thehackernews.com/2021/07/a-new-wiper-malware-was-behind-recent.html

therecord.mediahttps://therecord.media/cyber-attack-on-iranian-railway-was-a-wiper-incident-not-ransomware

threatpost.comhttps://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/

Related incidents

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B

WiperResolvedNovember 17, 2016

Shamoon 2 wiper attacks on Saudi government

A reactivated Shamoon (Disttrack) wiper destroyed thousands of computers across Saudi government bodies including the General Authority of Civil Aviation, overwriting master boot records with the image of a drowned Syrian child.

Victim: Saudi General Authority of Civil Aviation (GACA) and Saudi government bodies

WiperResolvedJune 17, 2010

Stuxnet (Operation Olympic Games)

U.S. and Israeli intelligence services jointly developed and deployed Stuxnet — the first widely-known cyber weapon to cause physical damage. The worm targeted Iran's Natanz uranium enrichment facility and destroyed approximately 1,000 IR-1 centrifuges over 2009–2010.

Victim: Natanz uranium enrichment facility (Iran)
Loss: $100.0M

WiperContainedMarch 11, 2026

Stryker Handala wiper attack (Iran-linked, 2026)

The Iranian state-linked group Handala compromised Stryker's Microsoft Intune administrator account and used the endpoint-management tool to wipe more than 200,000 servers, mobile devices, and corporate endpoints across 79 countries — bringing operations at one of the world's largest medical-device makers to a halt.

Victim: Stryker