Since March 25, a Telegram channel called "Lab Dookhtegan" or "Read My Lips" systematically reveals the secrets of a group of hackers called APT34 or Oilrig, which for a long time is supposed to work within the Iranian government. Until now, the author (s) of the leaks have published a collection of hackers' tools, evidence of their intrusion points for 66 victim organizations around the world, the IP addresses of the servers used by the Iranian intelligence services, and even the identities and photos of suspected pirates working with the OilRig group.
"We expose here the cyber-tools (APT34 / OILRIG) used by the Iranian Ministry of Intelligence unscrupulous against the neighboring countries of Iran, including the names of the cruel officials and information on the activities and objectives of Iran. these cyber-attacks ", read the original message sent to Telegram by hackers at the end of March. "We hope that other Iranian citizens will act to denounce the real ugly face of this regime!"
The exact nature of the leaking operation and the person (s) directing it are anything but clear. But the leak seems destined to embarrass the Iranian pirates, to expose their tools, forcing them to build new ones to avoid detection, and even to compromise the security of APT34 / OilRig members. "It would seem that an unhappy insider is leaking the tools of the APT34 operators or that it is a Shadow Brokers type entity that seeks to disrupt the operations of this group," he said. Brandon Levene, head of intelligence at the security company Chronicle, who analyzed the leak. "They do not seem to have anything to offer these guys, they name and humiliate, not just tools."
As early as Thursday morning, the authors of the "Read My Lips" report continued to publish names, photos and even contact details of alleged OilRig members at Telegram, although WIRED could not confirm that the one of the identified men was actually linked to the group of Iranian pirates. . "From now on, we will expose every few days the personal information of one of the accursed staff members and the secret information of the vicious intelligence ministry to destroy this ministry that is betraying," said a message sent Thursday by the leaks.
Chronicle analysts have confirmed that at least the published hacking tools are in fact OilRig's hacking tools, as claimed by the leaks. They include, for example, programs called Hypershell and TwoFace, designed to allow hackers to gain access to hacked web servers. Two other tools, PoisonFrog and Glimpse, appear to be different versions of a remote access Trojan called BondUpdater, which at Palo Alto Networks, OilRig observed since last August.
Beyond the leak of these tools, the informant "Read My Lips" also claims to have erased the content of the servers of the Iranian intelligence services and posted screenshots of the message she left, such as the one presented here. -Dessous.
When the Shadow Brokers unveiled its collection of secret hacking tools from the NSA over the years 2016 and 2017, the results have been disastrous: the hacking tools of the NSA having been the object of a leak EternalBlue and EternalRomance, for example, have been used in some of the most destructive and costly cyberattacks in history, including WannaCry and NotPetya worms. But Chronicle's Levene says that undervalued OilRig tools are not as unique or as dangerous, and that leaked versions of Webshell tools in particular are missing items that would allow them to be easily reused. "It's not really cutting and sticking," says Levene. "The re-weaponization of these tools is unlikely."
Another tool included in the leak is described as a "DNSpionage malware" and described as "code used to [man-in-the-middle] extract the authentication information "and" the code to handle DNS hacking. "Name and description of DNSpionage discovered last year and have since attributed to Iran. The operation targeted dozens of Middle East organizations by modifying their DNS registries in order to redirect all their incoming Internet traffic to another server, on which hackers could silently intercept and steal them. usernames and passwords included.
S & # 39; SUBSCRIBE
S & # 39; subscribe for WIRED and stay smart with more of your favorite Ideas writers.
But Chronicle's Levene says that, despite appearances, Chronicle does not believe that the DNSpionage malware in the leak matches the malware used in this previously identified campaign. However, the two DNS hacking tools seem to have similar functionality, and both hacking campaigns have at least shared some victims. The "Read My Lips" leak contains detailed information on OilRig's established server engagements in a wide range of Middle East networks, from Abu Dhabi airports to Etihad Airways, via the Agency. Bahrain National Security Council, Solidarity Saudi Takaful and Saudi Insurance. According to the analysis of data disclosed by Chronicle, OilRig targets are as diverse as a South Korean gaming company and a Mexican government agency. But most of the dozens of victims of these hackers are clustered in the Middle East, and some have also been affected by DNSpionage, says Levene. "We do not see any connection with DNSpionage, but the victims overlap," he said. "If they are not identical, at least their interests are common."
For OilRig, the current leak represents an embarrassing setback and an operational security breach. But for the community of security researchers, it also offers a rare view of the internal elements of a state-sponsored hacking group, says Levene. "We do not often have the opportunity to examine state-sponsored groups and how they work," he said. "This gives us an idea of the scope and magnitude of this group's capabilities."
Even the head of the publication "Read My Lips" reveals the secrets of the Iranians, but the source of these leaks remains a mystery. And judging by his assertions in Telegram, this is just beginning. "We have more secret information on the crimes of the Iranian Ministry of Intelligence and its officials," reads a group message released last week. "We are determined to continue to exhibit, follow us and share!"