Iranian Hackurity – Hacking Group or Security Firm

In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.

That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.

This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.

Such was the case in the Iranian DataCoders Security Team and cyber security firm.

Since it commenced activities in 2010, and especially throughout 2012-2013, this hacker group has repeatedly breached American and Israeli websites.

Defacement mirror by the Iranian DataCoders Security Team
Defacement mirror by the Iranian DataCoders Security Team

Additional examples revealed the possibility that the group is also operating under an Arab alias.

At the beginning of August 2013, an unknown hacker group calling itself Qods Freedom claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.

It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.

The group’s new web platform – DataCoders.org
The group’s new web platform – DataCoders.org

Another hacker group recently caught in the spotlight is the Ajax Security Team (AjaxTM). As in the first case, with its misleading decline in defacement activity, AjaxTM started to run a new platform – a security firm by the name of Pars-Security (Persian: شرکت امنیتی پارس پردازش حافظ).

According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.

The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.

‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.

The company CEO is the AjaxTM leader – Ali Alipour – and the contact details on the Pars-Security website are his.

Pars-security.com contact details
Pars-security.com contact details

Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.

Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.

Mihan Hack Security Team Website
Mihan Hack Security Team Website

The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.

This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.

Q&A with Ruth Kinzey: The Reputation Impact of a Cyber Breach – What Are the Potential Risks and How Can Organizations Mitigate Them?

Written by Ruth Kinzey

As current events clearly illustrate (Adobe, Target and eBay breaches), there is more to cyber breach than lost data – a massive cyber incident has also the potential to deeply harm the victim /company’s reputation. Today we would like to explore the issue of reputation management with regard to cyber threats.

For this we have invited Ruth Kinzey, who kindly agreed to share herviews on the topic.

Ruth Kinzey, MA, is a reputation strategist with more than 35 years of communications experience. Ruth is a professional speaker, consultant, author, trainer, and adjunct faculty member of Rutgers University. She is founder and president of The Kinzey Company, an organization dedicated to helping clients proactively and strategically enhance and protect their reputations.

Ruth Kinzey

Q: How does strategic reputation management differ from PR or online reputation management?

Both public relations and online reputation are part of the strategic reputation management equation. Being strategic about an organization’s reputation means taking a holistic view by analyzing multiple audiences and communication channels; determining how well aligned the company is within itself; and examining the context in which the business operates. The organizational context takes into account the potential impact local, national and even international events can have on an organization’s reputation in addition to what is happening in the institution’s industry or sector as well as the culture of the firm.

The goals of strategic reputation management are to proactively enhance an organization’s reputation and to help protect it in times of crisis. Consequently, it’s also necessary to understand the organization’s current reputation as well as its reputational goals.

Q: What are the challenges of reputation management in today’s world of cybercrime and cyber warfare?

The cyber world is a bit like the “Wild West.” Laws are not consistent from country to country. Judicial rulings are challenged to keep pace with cyber crime. And while breaches, which impact the privacy of individuals and organizations, can be significant – even catastrophic, the perpetrators must be caught before they can be dealt with aggressively. So, the problem with “cyber lawlessness” is that it financially victimizes the institution and its many stakeholders and can tarnish reputations. This is why every organization should assess and manage its cyber risk.

System vulnerabilities must be identified, prioritized, and mitigated as much as possible. Because hackers are enterprising and highly likely to find weak links in the operating system that an organization may not even realize are present, a crisis plan should be created, too. That way, when a company – or even a nonprofit – is in the midst of dealing with some type of “cyber atrocity,” the organization isn’t trying to make important decisions such as when to notify government agencies, law enforcement, and customers. The institution also isn’t scrambling to determine the best way to contact customers or shareholders or what they should do to help clients or employees best manage the breach.

Without developing cyber risk mitigation measures and carefully constructing a crisis plan, an organization is going to lose more than data. The breach will lead to a reputational disaster, too, because the company will not be prepared on either front. Depending upon the degree of damage that occurs, the business may or may not be able to recover.

Q: Do you think today’s C-suite and upper management understand the impact a cyber incident could have on the organization’s reputation? And, do you believe they are doing anything to mitigate it?

One cannot listen to the news without recognizing the likelihood of a cyber attack. And, there are many businesses – even departments within the government – that have experienced data breaches. Consequently, there are case studies explaining what happened, how the organization managed the crisis, and the resulting reputational impact. So, senior leadership understands cyber crime is a very real threat to an organization’s operation and reputation.

However, is upper management doing anything to mitigate it? That is a very different question. And, the response varies from company to company.

Dealing with cyber crime requires vigilance and money, particularly as hackers become more and more sophisticated in their techniques. Senior leadership and the government are recognizing the importance of collaboration and information sharing. Industry and professional organizations are realizing they have a role in bringing together members to focus on the cyber crime issue and to help tackle this worldwide problem as well.

Q: Which is more harmful: insufficient security of corporate information or customers’ information? What could lead to greater reputational damage?

Both are harmful and both have the potential of damaging reputations. Depending upon the amount and type of data compromised, an individual could experience financial devastation and significant reputational damage. The actions of a business – before, during and after a cyber attack – could result in catastrophic financial implications as well as a severely damaged reputation.

People want to know the company has taken appropriate measures to protect data and that the business is doing all it can to keep personal information safe. In addition, the public wants a trustworthy business partner that keeps them informed about security issues and is willing to help them during the aftermath. A company not perceived as behaving in a proactive and trustworthy manner will experience even greater reputational damage.

Q: How can reputational damage be contained?

It is impossible to entirely contain reputational damage because an organization’s reputation is ultimately in “the eye of its beholder.” Having said this, there are steps a business can take to help reduce the severity of reputational damage.

First, it is important for the company to proactively enhance its reputation through actions such as exemplary customer service, ethical and transparent conduct, and environmentally and socially responsible behaviors. Model performance builds trust and goodwill. This positive reputation helps the public believe in the good intentions of the organization, which causes a more favorable opinion and generates support during times of trouble.

Having a crisis management plan, which includes communication, will help an organization better protect its reputation when in the midst of a cyber attack. Minutes count in any crisis, so having protocols and procedures established improves an organization’s responsiveness to the situation and enables the firm to respond to its many stakeholders in a more thoughtful, strategic manner – both during and after the cyber crime.

Q: Can reputational data be measured?

Yes. But the methodology can vary, depending upon what is being measured.

Insurance companies are paying closer attention to the impact a negative reputation has on a company’s success. Some insurers even offer public relations or media relations assistance when they become aware of potential crises being faced by clients. Other agencies offer reputation insurance because they are keenly aware of the financial impact involved when reputational loss occurs.

If publicly owned, the investor relations department may judge the degree of reputational capital the organization has by factors such as the stock price or number of investors; whereas, the marketing department may measure the number of lost customers, customer feedback, and overall lagging sales. On the other hand, the media relations department may judge the status of the company’s reputation by the types of media inquiries, the tone of articles, the frequency of references to the company in relation to a security breach, or other even more sophisticated parameters. And, there are many online agencies that examine the social profile of a business and offer reputational insights in conjunction with this.

So, reputation – both positive and negative – can be measured. But, it is important to know exactly what you are trying to measure and to have objectives clearly in mind before selecting the best form of measurement to capture this information.

Q: Can an organization’s reputation recover after a cyber attack?

It is possible for an organization to recover after a cyber attack. However, this is primarily dependent upon the company’s actions before, during and after the occurrence of this crime.

The public wants to know the firm took appropriate precautionary steps. Were systems in place to help mitigate such attacks? Was management vigilant and issues escalated upon detection?

Also, were victims – and potential victims – notified quickly about the compromise in security and kept abreast as to how their data was affected? Even if a firm doesn’t know the full implications of the breach, it’s a good idea to offer general information and to provide suggestions for protecting personal data.

Not only is a company’s conduct important prior to and during the unfolding of a cyber attack, but people judge a business on its behavior after such an incident. Does the firm demonstrate its understanding of the gravity of the situation? What actions will it implement to try to protect against the same type of situation from occurring again? Are people within the institution being held accountable, particularly if the event was preventable or could have been better contained? Is the organization trying to help victims by taking steps such as offering free credit monitoring?

Overall, the public can be amazingly forgiving, if a business has a good reputation and demonstrates exemplary conduct in how it manages a cyber attack. If this is the case, even if there is a dip in stock performance or lower sales in the short term, people will return. However, if the business has not been proactive in trying to protect its data, lacked transparency in its reporting, or failed to demonstrate its genuine regret for what happened, it will be much more difficult to regain customer, investor, government and public trust.

#OpIsrael Birthday Campaign – Summary

Written by Hila Marudi, Yotam Gutman and Gilad Zahavi

The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.

#OpIsrael Birthday logo
#OpIsrael Birthday logo

It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.

Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.

Data leaked from Bar-Ilan University
Data leaked from Bar-Ilan University

Summary of the groups participating in the campaign:

Group name Group Details Activity
AnonGhost Tunisian, the campaign instigator Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
AnonSec Pro-Palestinian Muslim group Leaked government email addresses, defaced websites and launched DDoS attacks
Fallaga Tunisian Built web-based attack tools and shells, launched DDoS attacks against government sites
Security_511 Saudi group Launched DDoS attacks against government sites and leaked government email addresses
Izzah Hackers Pro-Palestinian Muslim group Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military Pro-Palestinian Muslim group Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret Moroccan Group Defaced websites and leaked email addresses

According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.

Conclusion

According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:

  • The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
  • During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.

It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.

However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.

The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.

Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

Qods Freedom Hacker Group – Possible Iranian Involvement in Cyber Activity against Israel

In late July and early August 2013, a Gaza-based hacker group named “Qods Freedom” launched a cyber-operation against Israeli websites. The attack comprised distributed denial-of-service (DDoS) attacks, website defacements and attempted bank account breaches.

"Qods Freedom" Facebook page
“Qods Freedom” Facebook page

The DDoS-affected sites were Israel Railways, El Al (Israel’s national airline) and a leading daily newspaper. The attacks were all effective, topping at about 3.2 Gb/sec, rendering the sites inaccessible for many hours.

Screenshot posted by the group showing El Al site down due to their attack
Screenshot posted by the group showing El Al site down due to their attack

The group defaced over 600 sites, most of them related to two hosting service providers (likely to have been compromised). The defacement messages suggest that the motivation for the attack was to commemorate “Quds Day” – the last Friday of Ramadan.The group did not attempt to conceal its actions. Quite the contrary – it has an official Facebook page and Imageshack account where it posted images purportedly depicting the breach of Israeli bank accounts.

The political affiliation of the groups seems very clear – hardcore Palestinian, anti-Israeli. This was also evident from pictures they posted on the defaced sites that included images of the Dome of the Rock, the Palestinian flag, footage of protesters skirmishing with IDF soldiers and a portrait of Hezbollah leader Hassan Nasrallah and a quote from his famous “Spider Web” speech, which he delivered in southern Lebanon in 2000 (where he predicted that Israel would break apart like spider webs in the slightest wind).

The group's defacement signature quoting Nasrallah with a typo
The group’s defacement signature quoting Nasrallah with a typo

After the attack subsided, SenseCy cyber intelligence analysts decided to take a closer look at the actions of this so-called Palestinian group. Gilad Zahavi, Director of Cyber Intelligence, recounted: “Something just didn’t add up. We were seeing many indications that this group was not what it portrayed itself to be, so we decided to dig deeper.”Using virtual entities (some of which have been in operation for some time, and are used to collect information on the vibrant hacking scene in Gaza), they started sniffing around on Palestinian forums and social media groups, but no-one seemed to know much about this group. With little else to do, the team looked again at the “signature” the group left after defacing one website. And there it was – a very uncharacteristic typo in the transcript of Nasrallah’s famous speech, one that no native Arab speaker would make. This raised suspicions that this group might not be Arab at all. A closer look at the font used to type the message confirmed that it originated from a Farsi-language keyboard.

Focusing on the Iranian connection, the team uncovered several other indications of the true origins of the group. For starters, “Quds Day” is mostly celebrated by the Iranian government and Hezbollah, not by Palestinian Sunnis. Secondly, the only references to these attacks (anywhere in the Muslim world) have come from the Iranian media. Two additional Iranian groups, “Iranian Data Coders” and Persian Flag Guards” use the same defacement signature, indicating at least some affiliation to Iranian cyber groups. The last telltale sign was that Iranian hacker groups often choose to masquerade as Arab hackers, choosing Arabic instead of Farsi names. A notable example is the “Izz ad-Din al-Qassam Cyber Fighters”, perceived to be linked to the Palestinian Hamas organization, but in fact operated by the Iranian regime.

So there you have it – an Iranian group with high technical capabilities, masquerading as a Palestinian group and attacking Israeli sites. This scheme was uncovered not by fancy computer forensics, but by good old-fashioned intelligence work, built on linguistic and cultural expertise, combined with a deep understanding of the cyber domain and intimate knowledge of the Middle East hacking scene.

Ukraine versus Russia in a Cyber-Duel

The eyes of the world are trained on events unfolding between Russia and the Ukraine these days – partly curious, partly concerned, with others directly supportive of one of the sides, either through actions or by disseminating the agenda they believe in. Everyone understands that this conflict (or should we already use the term “war”?), may have a huge impact on the balance of power in Eastern Europe, and further afield. For the time being, we can only assume what Russia’s true goals are in this conflict and to what extent it can deteriorate. But one thing is already clear – this is a confrontation not only in the battlefield, with tanks and guns, but also in cyberspace, where the weapons are site defacements, data leaks and damage to the networks of financial and critical infrastructures. And it is not so obvious which of them is the more merciless and destructive…

This is not the first time that Russia has resorted to cyber-attacks against her enemies. April 2007 is still burned into the collective memory of Estonia, when thousands of sites belonging to Estonian organizations came under cyber-attack over a three-week period, which withheld many essential services from the general public.

Another conflict that served as a background to numerous cyber-attacks was the Russia–Georgia war in 2008. South Ossetian, Russian, Georgian, and Azerbaijani informational and governmental websites were hacked, resulting in defacements with political messages and denial of service to numerous websites. It was not clear whether the attack was an organized, government supported warfare or a riot of individuals and groups touting pro-Russian views.

The current confrontation in the Crimean Peninsula has only been underway for a few days, but it is already widely backed by supporters from both sides in cyberspace. Many websites with Russian and Ukrainian URLs have already been hacked and #OpUkraine and #OpRussia campaigns launched on social networks, mainly VK, Odnoklassniki and Facebook.

The Ukranians, imbued with patriotic feelings, are trying to hack Russian sites and leak data. The Ukranian site Bimba, which calls itself the “cyber weapon of the Maidan revolution,” announced its recruitment of cyber volunteers wishing to work for the benefit of the Ukraine.

Defacement of Russian Sites by Anonymous Ukraine
Recruitment of cyber volunteers on anti-Russian site

The VK group #опПокращення // #OpUkraine, identified with Anonymous, uploaded a paste to the pastebin.com site, containing an anti-Russian message and a link to a download of an internal SQL data from Crownservice.ru (publishes tenders for governmental jobs), in a file called Putin Smack Down Saturday.

Other hacker groups in the Ukraine hacked regime websites, in expression of their support for the revolution. In general, a large number of internal cyberattacks among the different Ukrainian groups have been executed since the clashes began at the end of 2013. One of the more prominent was the hacking of the email of Ukraine opposition leader, Vitali Klitschko.

Russia tried to get even, although in a less obvious manner. Starting February 28, reports about cyberattacks in the Crimean Peninsula were published by some sources. Local communication companies experienced problems in their work that may have been caused by cyberattacks, as well as landline and Internet services. Moreover, Russia’s Internet monitoring agency (Roskomnadzor) has blocked Internet pages linked to the Ukraine protest movement.

Aside from Russians and Ukrainians, this conflict has attracted hackers from other countries, and we have already seen Turkish, Tunisian, Albanian and Palestinian hacker groups attacking Russian sites in support of the Ukrainian revolution.

Turkish hackers teams join in hacking Russian and Ukrainian sites
Anonymous Gaza hack Russian websites

At the time of writing, news sites have reported two more attacks on Russian sites by Ukrainian activists. This is a surprising, dynamic duel, and cyberspace is likely the stage upon which it will be played out.

Hacking as an Artistic Expression

Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes).
But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:

A Russian hacking forum
A Russian hacking forum
Portal of Russian hackers
Portal of Russian hackers
Another Russian hacking forum
Another Russian hacking forum
A carding shop
A carding shop
#OpUSA (May 7, 2013)
#OpUSA (May 7, 2013)
#OpPetrol (June 20, 2013)
#OpPetrol (June 20, 2013)
#OpEgypt
#OpEgypt
Iranian Cyber Army (ICA)
Iranian Cyber Army (ICA)
Ashiyane Digital Security Team (ADST)
Ashiyane Digital Security Team (ADST)