Cyber expert Ophir Harpaz

The hackers used infected servers to harm companies and create a large decentralized attack that made it extremely difficult to expose them.


A global cyber-attack conducted from more than 1,300 different locations was exposed by a team of Israeli researchers led by Liad Mordekoviz and Ophir Harpaz from Guardicore, an Israeli cybersecurity company.

The main target of the attack was the servers of companies and organizations in the fields of health, tourism, communications, and education, including hospitals, hotels, educational institutions and government agencies, most of them in the US, Vietnam and India.

The Indexsinas campaign started attacking Guardicore Global Sensors Network (GGSN) at the beginning of 2019 and is still active today.

A total of some 2,000 bodies were targeted by Indexsinas SMB worm, also dubbed NSABuffMiner.

The hackers used infected servers as a basis for harming other companies and created a large decentralization of the attack to make it difficult to expose them.

The servers that fell victim to the attack use Microsoft’s SMB protocol. The attackers created a “back door” in companies that were attacked that allowed them to infiltrate the servers repeatedly, with an option to selling access to the infected servers to other elements on the dark web.

It is estimated that hundreds of dollars can be obtained for access to an infected Windows server, which adds up to extremely high sums with the long list of infected servers.

The attackers utilized the systems for digital coin mining, Trojan horses, and information gathering.

They activated advanced means to eliminate the presence of other attack groups located on the servers to seize sole control over them, and deleted their files after use to cover their tracks.

Guardicore researchers have provided security managers around the world with a tool to help understand if their corporate system has been compromised, and recommendations on how to act to protect against similar-style attacks.