An Iranian hacking group believed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) was crippled by raids carried out by police across Europe after an Israeli-American cybersecurity firm informed them about the group’s activities, Reuters reported on Monday.
Researchers from U.S.-Israeli security firm Check Point Software said the 1,600 high-profile targets include members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents and even the wives of high-ranking generals from unnamed countries.
“We have discovered the inner workings of a cyber espionage campaign,” Shahar Tal, research group manager for U.S.-Israeli security firm Check Point Software, told Reuters in an interview. …
The company said it had informed national computer security response teams in Britain, Germany and the Netherlands, who in turn alerted police in those countries to the locations of “command and control” servers used to mount attacks controlled from Iran.
Although “it is extremely rare to obtain a comprehensive check-list of a nation’s military intelligence interest,” Tal told Reuters, Check Point was able to uncover a list of the group’s targets. He added that the European raids has crippled the hackers’ capacity to launch new attacks for months.
On Tuesday, David Shamah, the technology reporter for The Times of Israel, reported that the hacking group, called Rocket Kitten, made a number of errors that allowed Check Point to discover the full extent of their activities and trace their origin to Iran.
According to the report, most of the attacks – 44% – were against targets in Saudi Arabia, while 14% of them were against Israeli targets. The Checkpoint researchers were able to determine this, they said, because the evidence of who was attacked and when they were targeted were listed in an openly accessible database, that was not even protected by a password.
“’Such a gaping hole must be a decoy, we immediately thought,” the Checkpoint report said. “There is no way nation-state attackers would err in such amateur fashion, leaving their phishing server database exposed… would they?”
Apparently they would, and in addition to allowing password-less root access to any browsing visitor, the hackers committed numerous other sloppy mistakes, such as failing to hide a path to the server from where the attacks originated – providing clear evidence that the attacks originated in Iran. Even the name of the head of the Iranian hacker program – Yaser Balaghi – along with a clear outline of his hacking activities, was easily accessible.
The carelessness displayed by Rocket Kitten was unusual, Shamah added, because they were “nation-state hackers whose prime directive is to ensure that no one is able to connect them with their government.”
A recent increase of cyber attacks against American officials is believed to be linked to the recent arrest in Tehran of Iranian-American businessman Siamak Namazi, whose computer was confiscated by the IRGC. A scheme by Iranian hackers to get sensitive information from professionals in the defense and telecommunications industries using fake LinkedIn profiles was discovered and shut down last month.
In Iran Has Built an Army of Cyber-Proxies, which was published in the August 2015 issue of The Tower Magazine, Jordan Brunner described Iran’s rise as a cyberwarfare power as a parallel development of its network of global terrorist proxies.
Iran is adept at building terrorist and other illicit networks around the world. Its cyber-capabilities are no different. It uses the inexpensive method of training and collaborating with proxies in the art of cyber-war. It may also have collaborated with North Korea, which infamously attacked Sony in response to the film The Interview. It is possible that Iran assisted North Korea in developing the cyber-capability necessary to carry out the Sony hack. While acknowledging that there is no definite proof of this, Claudia Rosett of the Foundation for Defense of Democracies raised the question in The Tower earlier this year.
More importantly, Iran is sponsoring the cyber-capabilities of terrorist organizations in Lebanon, Yemen, and Syria. The first indication of this was from Hezbollah. The group’s cyber-activity came to the attention of the U.S. in early 2008, and it has only become more powerful in cyberspace since then. An attack that had “all the markings” of a campaign orchestrated by Hezbollah was carried out against Israeli businesses in 2012.
Lebanon’s neighbor, Syria, is home to the Syrian Electronic Army (SEA), which employs cyber-warfare in support of the Assad regime. There are rumors that indicate it is trained and financed by Iran. The SEA’s mission is to embarrass media organizations in the West that publicize the atrocities of the Assad regime, as well as track down and monitor the activities of Syrian rebels. It has been very successful at both. The SEA has attacked media outlets such as The Washington Post, the Chicago Tribune, the Financial Times, Forbes, and others. It has also hacked the software of companies like Dell, Microsoft, Ferrari, and even the humanitarian program UNICEF.
[Photo: Financial Times / YouTube ]