Iranian Hackurity – Hacking Group or Security Firm

In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.

That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.

This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.

Such was the case in the Iranian DataCoders Security Team and cyber security firm.

Since it commenced activities in 2010, and especially throughout 2012-2013, this hacker group has repeatedly breached American and Israeli websites.

Defacement mirror by the Iranian DataCoders Security Team
Defacement mirror by the Iranian DataCoders Security Team

Additional examples revealed the possibility that the group is also operating under an Arab alias.

At the beginning of August 2013, an unknown hacker group calling itself Qods Freedom claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.

It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.

The group’s new web platform – DataCoders.org
The group’s new web platform – DataCoders.org

Another hacker group recently caught in the spotlight is the Ajax Security Team (AjaxTM). As in the first case, with its misleading decline in defacement activity, AjaxTM started to run a new platform – a security firm by the name of Pars-Security (Persian: شرکت امنیتی پارس پردازش حافظ).

According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.

The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.

‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.

The company CEO is the AjaxTM leader – Ali Alipour – and the contact details on the Pars-Security website are his.

Pars-security.com contact details
Pars-security.com contact details

Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.

Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.

Mihan Hack Security Team Website
Mihan Hack Security Team Website

The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.

This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.

Qods Freedom Hacker Group – Possible Iranian Involvement in Cyber Activity against Israel

In late July and early August 2013, a Gaza-based hacker group named “Qods Freedom” launched a cyber-operation against Israeli websites. The attack comprised distributed denial-of-service (DDoS) attacks, website defacements and attempted bank account breaches.

"Qods Freedom" Facebook page
“Qods Freedom” Facebook page

The DDoS-affected sites were Israel Railways, El Al (Israel’s national airline) and a leading daily newspaper. The attacks were all effective, topping at about 3.2 Gb/sec, rendering the sites inaccessible for many hours.

Screenshot posted by the group showing El Al site down due to their attack
Screenshot posted by the group showing El Al site down due to their attack

The group defaced over 600 sites, most of them related to two hosting service providers (likely to have been compromised). The defacement messages suggest that the motivation for the attack was to commemorate “Quds Day” – the last Friday of Ramadan.The group did not attempt to conceal its actions. Quite the contrary – it has an official Facebook page and Imageshack account where it posted images purportedly depicting the breach of Israeli bank accounts.

The political affiliation of the groups seems very clear – hardcore Palestinian, anti-Israeli. This was also evident from pictures they posted on the defaced sites that included images of the Dome of the Rock, the Palestinian flag, footage of protesters skirmishing with IDF soldiers and a portrait of Hezbollah leader Hassan Nasrallah and a quote from his famous “Spider Web” speech, which he delivered in southern Lebanon in 2000 (where he predicted that Israel would break apart like spider webs in the slightest wind).

The group's defacement signature quoting Nasrallah with a typo
The group’s defacement signature quoting Nasrallah with a typo

After the attack subsided, SenseCy cyber intelligence analysts decided to take a closer look at the actions of this so-called Palestinian group. Gilad Zahavi, Director of Cyber Intelligence, recounted: “Something just didn’t add up. We were seeing many indications that this group was not what it portrayed itself to be, so we decided to dig deeper.”Using virtual entities (some of which have been in operation for some time, and are used to collect information on the vibrant hacking scene in Gaza), they started sniffing around on Palestinian forums and social media groups, but no-one seemed to know much about this group. With little else to do, the team looked again at the “signature” the group left after defacing one website. And there it was – a very uncharacteristic typo in the transcript of Nasrallah’s famous speech, one that no native Arab speaker would make. This raised suspicions that this group might not be Arab at all. A closer look at the font used to type the message confirmed that it originated from a Farsi-language keyboard.

Focusing on the Iranian connection, the team uncovered several other indications of the true origins of the group. For starters, “Quds Day” is mostly celebrated by the Iranian government and Hezbollah, not by Palestinian Sunnis. Secondly, the only references to these attacks (anywhere in the Muslim world) have come from the Iranian media. Two additional Iranian groups, “Iranian Data Coders” and Persian Flag Guards” use the same defacement signature, indicating at least some affiliation to Iranian cyber groups. The last telltale sign was that Iranian hacker groups often choose to masquerade as Arab hackers, choosing Arabic instead of Farsi names. A notable example is the “Izz ad-Din al-Qassam Cyber Fighters”, perceived to be linked to the Palestinian Hamas organization, but in fact operated by the Iranian regime.

So there you have it – an Iranian group with high technical capabilities, masquerading as a Palestinian group and attacking Israeli sites. This scheme was uncovered not by fancy computer forensics, but by good old-fashioned intelligence work, built on linguistic and cultural expertise, combined with a deep understanding of the cyber domain and intimate knowledge of the Middle East hacking scene.

Cyber in the Sky – RQ-170 Incident

On December 4, 2011, an American RQ-170 UAV crash-landed in northeastern Iran, bringing Iranian cyber warfare and electronic warfare (EW) capabilities to center stage. Since then, there has been much speculation about the cause of the malfunction in the UAV and possible Iranian involvement in bringing it down.

The Iranian government made an official announcement, declaring it had successfully taken over the UAV systems and landed the UAV intact.

But how did Iran do it?

While it was generally known back in 2011 that Iran possessed GPS jamming capabilities, the demonstration of this purported new capability to control a U.S. UAV and force it to land in Iranian territory sparked a whole new discussion regarding Iranian cyber warfare capabilities.

Experts on both sides suggested the possibility of GPS spoofing, thus taking it to another level.

While aircraft jamming is a known capability, albeit requiring a powerful-enough jammer, spoofing is what some would call the next level. It involves taking control over an aircraft navigation system and forcing it to land instead of following protocol and returning home when faced with enemy EW measures. Supporters of the ‘Spoofing Theory’ claim that the RQ-170 actually did follow protocol and returned to its ‘newly programmed’ home base – outside Kashmar in Iran.

According to several Iranian sources, this was an integrated attack combining a first stage of jamming followed by a second stage of spoofing.

Starting by disconnecting the UAV from its command center, the Iranians forced it to switch to internal guiding systems. At this point, the GPS system was jammed and misleading geographic data was sent to the UAV making it ‘believe’ that it was above the correct landing point.

It is important to mention that the idea of a possible disconnection of the UAV from its command center was noted by several sources but no references were made to the means by which this was achieved. It is unclear whether the disconnected command center was operating from the U.S. or from an American base in Afghanistan.

Although this scenario was suggested by Iranian sources and it is only one of several possible explanations for the incident, it is nonetheless important to consider the GPS spoofing as a very real option and be aware of the effect this ability can have on positioning Iran as a leading cyber warfare player in the Middle East.

RQ-170 Sentinel UAV
RQ-170 Sentinel UAV model as published by Iranian sources

Who Are The Islamic Cyber Resistance?

On January 7, 2014, a relatively new hacker group calling itself the Islamic Cyber Resistance (ICR) claimed they had accessed the Local Area Network (LAN) of the Israel Airports Authority (IAA) and leaked sensitive information regarding domestic and international flight maps.

According to the group, they accessed flight management plans and the ATIS/VOLMET system (Automatic Terminal Information Service), where they could have manipulated data communications, such as flight routing and weather conditions.

The ICR has leaked a great amount of data, most of which is not up-to-date. Our analysis additionally revealed that the leaked data does not originate from the IAA local network, but either from its open and public network or from a different server that contains such information.

Nonetheless, it appears that this group may pose a threat to Western entities, as well as non-Shi’a, and I will explain.

ICR executed their first act on February 25, 2013, when the group leaked the personal details of Bahraini intelligence and high-ranking military personnel. This was accompanied by an image demonstrating the group’s support of Hezbollah leader Hassan Nasrallah.

The attached image
The attached image

On August 10, 2013, the ICR and the Syrian Electronic Army (SEA), a pro-Assad hacker group, hacked a Kuwait mobile operator (Zain Group) and leaked information that included passwords.

On October 22, 2013, the ICR leaked the email addresses of the International Atomic Energy Agency (IAEA). It should be noted that information regarding the IAEA was also leaked in 2012 by the Iranian hacker group Parastoo.

On December 16, 2013, the ICR leaked personal details of 2,014 Israelis affiliated with various security bodies as well as secret documents from the Saudi BinLadin Group (SBG) and Saudi Arabian security officials. They stated that this attack was the group’s revenge for the assassination of Hezbollah Commander Hassan al-Lakkis on December 4, 2013.

Image of SBG document that ICR hackers gained access to
Image of SBG document that ICR hackers gained access to

According to the semi-official Iranian Fars News Agency, the group has declared that it is not affiliated with Hezbollah. However, the cyber-attack coined “Remember Hassan Lakkis Operation” and the image of Hassan Nasrallah attached to one of the leaks indicates a connection between the group and Hezbollah, or at least the group’s support for the organization.

Moreover, the name of the group in English is the same as one of the names for Hezbollah (Al-Muqawama al-Islamiyya – “Islamic Resistance”). Additionally, a news report in Persian about the ICR attached an image labeled “HizbullahCyber”, another indication of a possible connection between the ICR and Hezbollah.

Hizbullah_Cyber

The ICR has no Facebook or Twitter accounts. However, it seems that wikileak.ir is the main platform for their leaks. Additionally, the Twitter account @quickleak.org often tweets about the group’s operations and should therefore be considered a good source of information about the group’s activity.