The Life Cycle of a Data Breach

2016 has witnessed an exponential growth in data breach incidents. These incidents led to the compromise of various user details, including email addresses, passwords, usernames, full names, phone numbers and much more. These login credentials, which in many cases were reused on multiple platforms and services, were stolen from social network websites, such as LinkedIn, Tumblr, VK, gaming platforms, adult content websites, and Continue reading “The Life Cycle of a Data Breach”

An Aid to the Aspiring Cyber Intelligence Analyst (Part 1)

So you read all about the cyber underground and want to start snooping around? Well, knowing English won’t help you very much, as most communication at these online meeting places is in native languages, using unique slang. To help you, we bring you the first part of the cyber analyst terms table to assist you in your efforts.

Good luck!

table

Cyber landscape
Cyber landscape

Iranian Hackurity – Hacking Group or Security Firm

In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.

That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.

This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.

Such was the case in the Iranian DataCoders Security Team and cyber security firm.

Since it commenced activities in 2010, and especially throughout 2012-2013, this hacker group has repeatedly breached American and Israeli websites.

Defacement mirror by the Iranian DataCoders Security Team
Defacement mirror by the Iranian DataCoders Security Team

Additional examples revealed the possibility that the group is also operating under an Arab alias.

At the beginning of August 2013, an unknown hacker group calling itself Qods Freedom claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.

It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.

The group’s new web platform – DataCoders.org
The group’s new web platform – DataCoders.org

Another hacker group recently caught in the spotlight is the Ajax Security Team (AjaxTM). As in the first case, with its misleading decline in defacement activity, AjaxTM started to run a new platform – a security firm by the name of Pars-Security (Persian: شرکت امنیتی پارس پردازش حافظ).

According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.

The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.

‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.

The company CEO is the AjaxTM leader – Ali Alipour – and the contact details on the Pars-Security website are his.

Pars-security.com contact details
Pars-security.com contact details

Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.

Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.

Mihan Hack Security Team Website
Mihan Hack Security Team Website

The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.

This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.

Cyber in the Sky – RQ-170 Incident

On December 4, 2011, an American RQ-170 UAV crash-landed in northeastern Iran, bringing Iranian cyber warfare and electronic warfare (EW) capabilities to center stage. Since then, there has been much speculation about the cause of the malfunction in the UAV and possible Iranian involvement in bringing it down.

The Iranian government made an official announcement, declaring it had successfully taken over the UAV systems and landed the UAV intact.

But how did Iran do it?

While it was generally known back in 2011 that Iran possessed GPS jamming capabilities, the demonstration of this purported new capability to control a U.S. UAV and force it to land in Iranian territory sparked a whole new discussion regarding Iranian cyber warfare capabilities.

Experts on both sides suggested the possibility of GPS spoofing, thus taking it to another level.

While aircraft jamming is a known capability, albeit requiring a powerful-enough jammer, spoofing is what some would call the next level. It involves taking control over an aircraft navigation system and forcing it to land instead of following protocol and returning home when faced with enemy EW measures. Supporters of the ‘Spoofing Theory’ claim that the RQ-170 actually did follow protocol and returned to its ‘newly programmed’ home base – outside Kashmar in Iran.

According to several Iranian sources, this was an integrated attack combining a first stage of jamming followed by a second stage of spoofing.

Starting by disconnecting the UAV from its command center, the Iranians forced it to switch to internal guiding systems. At this point, the GPS system was jammed and misleading geographic data was sent to the UAV making it ‘believe’ that it was above the correct landing point.

It is important to mention that the idea of a possible disconnection of the UAV from its command center was noted by several sources but no references were made to the means by which this was achieved. It is unclear whether the disconnected command center was operating from the U.S. or from an American base in Afghanistan.

Although this scenario was suggested by Iranian sources and it is only one of several possible explanations for the incident, it is nonetheless important to consider the GPS spoofing as a very real option and be aware of the effect this ability can have on positioning Iran as a leading cyber warfare player in the Middle East.

RQ-170 Sentinel UAV
RQ-170 Sentinel UAV model as published by Iranian sources