I’ve been learning about Information Security recently and taken a keen interest in cyber threat intelligence. Here is a paper I recently wrote on an Iran hacking organization.
Iran is a Middle East nation controlled by an Islamic government. Since 1979, Iran’s national strategy is to become a regional power in the Middle East. However, their political actions and rhetoric against Israel and the United States have often caused reaction, often to the point of offensive operations against Iran.
Due to its limited formal military power and its understanding of its enemies’ military and political capabilities, Iran often chooses to push its international agenda through proxies, sponsorships, and clandestine forces. These organizations have a worldwide reach. They range from the directly controlled (the Iranian Revolutionary Guard Corps) to opposition pseudo-governments (Hezbollah in Lebanon) to minority revolutionary groups (Houthis in Yemen).
Iran in Cyber Space
Given the low cost, high impact of cyber operations, Iran has become a prominent actor in cyber space. They are responsible for some of the largest nation-state level attacks in the last 10 years.
Iranian hacking started small, defacing websites and bulletin boards and propaganda .
Following 2009 internal strife, the Government of Iran created its first internal cybersecurity organization, Gerdab.ir. According to RecordedFuture.com, “Gerdab.ir emerged as the IRGC’s domestic hacking group tasked with targeting opposition news websites and individuals considered immoral by the regime”. Following the Stuxnet attack in 2010, Iran increased their cyber capabilities, creating the Iranian Cyber Army. Since 2011, the ICA has been accused of attacks on the US, Saudi Arabia, and Turkey.
According to RecordedFuture.com, although it still uses the ICA, Iran increasingly utilizes contract hackers to conduct offensive operations. These hackers may or may not be ideologically aligned with Iran but by working with IRGC middle managers, they do the regime’s bidding for the right price. This contract relationship allows the Iranian government access to quality hackers and the hackers the ability to not be beholden to Iranian ideology. Security research has indicated that many of these contract hackers come from either online forums or state-funded Iranian universities. Current organizations go by names such as Charming Kitten and/or Rocket Kitten.
Besides recognized contract hackers, Iran also has several Advanced Persistent Threats (APTs). These threats conduct offensive cyber-attacks on targets throughout the world. Iran currently has three APTs: 33, 34, and 35. According to RecordedFuture.com, these two elements differ in that while the hackers are innovative and less deliberate, the APTs “develop custom malware, target data exfiltration from strategic intelligence targets such as U.S. military contractors, Middle East energy companies, and university research networks”.
According to FireEye, APT 34 has been active since 2014. APT 34, also referred to as “OilRig” or Helix Kitten, has been known to target regional corporations and industries. Although there was information about APT34 prior to 2019, a series of leaks on the website Telegram by an individual named “Lab Dookhtegan” exposed many names and activities of the organization.
In the Telegram leak, 10 individuals of APT 34 were named. Of the 10, three work in Iran’s Ministry of Intelligence and three others work for Iranian cybersecurity company Rahacrop (Raha Iran), according to Red Sky Alliance. Information available on GitHub provides information on six of these personnel.
(Note: as with many online leaks and information dumps, the personnel information below is rated as “low confidence”. While some of the information is detailed, other is sketchy.)
The exposed leadership of APT34 includes Omid Palvayeh, CEO and Co-Founder of Rahacorp. On LinkedIn, Palvayeh describes himself as a Security Analyst at Raha. Prior to Rahacorp, Palvayeh worked for the Iran Security Research Center for five years. He attended Shiraz University and received a degree in Computer Engineering.
Another member of APT34 is Ali Reza Ebrahimi. On LinkedIn, Ebrahimi is listed as the Chief Technology Officer of Rahacorp. Ebrahimi describes himself as a software developer from Tehran, Iran. He holds a Master’s Degree in Computer Software Engineering from Sharif University of Technology.
Saud Shahrab is also identified as a member of APT34. He is a programmer interested in security. According to his LinkedIn, he has been a student at Amirkabir University of Technology for 10 years.
Mohammad Masoomi is listed as a student at Tehran Jonoob, according to his sparsely populated LinkedIn page. According to its website, Tehran Jonoob is one of the largest technical and construction companies in Iran. Tehran Jonoob has also completed contracts in India.
(Update: Tehran Jonoob is also the name of Islamic Azad University, South Tehran Branch. This makes more sense than a student working for a technical and construction company. Islamic Azad University, South Tehran Branch has three computer-related degree programs: Information Technology Engineering-Computer Networks MS, Information Technology Engineering-Electronic Commerce MS, and Computer Engineering-Software MS.)
The last mentioned member of APT34 is Taha Mahdi Tavakoli. There is not much open source information on Tavakoli. The only piece of identifiable information is an email address and a phone number.
While FireEye and other security organizations listed APT 34’s targets as financial, government, energy, chemical, telecommunications and other industries throughout the Middle East , the Lab Dookhtegan leak provided detail into which national industries were targeted. The leak provided stolen data from the following national organizations :
United Arab Emirates
• Ministry of Presidential Affairs
• National Oil Company
• Policy Center
• Prime Minister Office
• Statistic Center
• National Information Technology Center
• Primus Software Solutions Company
• National Security Agency
• Amiri Diwan (Emir’s Royal Palace)
• Building and Road Research Institute
• Administrative Court
APT34 conducts cyber espionage on behalf of Iran. Iran seeks to diminish the capabilities of other regional powers to create leverage and better establish itself. This strategy is especially important against nations it sees as a threat to its regional power such as Saudi Arabia and the United Arab Emirates.
APT34 uses various tools to conduct their attacks . Their primary malware tools are :
• Glimpse (aka BondUpdater), the latest version of the PowerShell-based trojan
• PoisonFrog, an older version of BondUpdater
• HyperShell web shell (aka TwoFace)
• HighShell web shell
• Fox Panel phishing tool
• Webmask, the main tool behind DNSpionage
The following is an abbreviated chart from MITRE.org on APT34’s techniques.