A Hacker Group is Doxing Confidential Data of Espionage Group Linked to Iran’s Government
According to an article published by Wired on April 18, 2019, a mystery hacker group for the last month has been divulging Iran’s top-level hackers’ secret data, tools, and personal identities onto a public Telegram channel.
Iranian Intelligence Agency’s Close Associates Hacked
Occasionally, it can be easy to be lost in the noise of social media sites when surfing the web and as such, major online developments operating in the public’s blind spot can go unnoticed. This layer of the internet which operates without much din often times becomes the breeding grounds for some of the most interesting behind-the-screen tales.
For instance, nearly three years ago, a group of anonymous hackers calling itself the Shadow Brokers publically announced the theft of highly-classified National Security Agency (NSA) linked documents. At the time, the group released a sample of the stolen data and also offered to sell an encrypted file whose decryption key they were willing to offer for sale in a bitcoin auction.
Fast-forward to 2019, the target of another such hack attack seems to now be top Iranian intelligence teams.
Per sources close to the matter, a group of hackers has spilled details about the inner workings of a cyber-espionage group known in the closely knit security community under aliases such as OilRig, APT34, and HelixKitten. Notably, this cyber-espionage group has been heavily implied to have links to the Iranian government.
The incident came to light on March 25, 2019, when a Telegram channel called Read my Lips was found to have released secret data pertaining to APT34. To date, online perpetrators have leaked details about the hackers’ tools, evidence of their involvement in more than 66 victim organizations across the world, IP addresses of servers used by Iran’s intelligence agencies, and even the IDs and photographs of alleged hackers working for the espionage group.
A message posted to Telegram by the hackers in late March read:
“We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks. We hope that other Iranian citizens will act for exposing this regime’s real ugly face!”
Further, hackers claim to have wiped out content from Iranian intelligence servers. They also posted the below screenshot to make the officials know that they’re not merely playing around.
(Source: Read My Lips)
The Source of Information Remains a Mystery
Although the Telegram group Read my Lips looks determined to splurge more details in the coming days, the source of these leaks continues to remain shrouded in mystery.
Data leaked by the hacker group consists of OilRig related URLs as well as thousands of login credentials. It also includes more than 900 usernames and passwords of officials from the Emirates Ministry of Presidential Affairs.
Alexey Firsh, a cyber threat researcher at Kaspersky on April 17, 2019, Tweeted:
The Telegram group says that the trove of data was retrieved from the command and controls used by OilRig.
If true, this could mean an embarrassing moment for the Iranian intelligence agencies, especially after considering that their work largely revolves around security and developing apt counter-mechanisms to repel such data breaches.