Pretty big story emerging for cyber warfare people - somebody has apparently pwned Iran state sponsored APT group, wiped assets and is publicly posting their code, online assets and doxxing agents
Source code of Iranian cyber-espionage tools leaked on Telegram
APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month.
By Catalin Cimpanu for Zero Day | April 17, 2019 -- 23:24 GMT (16:24 PDT) | Topic: Security
APT34 leak on Telegram
In an incident reminiscent of the Shadow Brokers leak that exposed the NSA's hacking tools, someone has now published similar hacking tools belonging to one of Iran's elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten.
The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless.
Victim data also dumped online
The tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan pseudonym.
Besides hacking tools, Dookhtegan also published what appears to be data from some of APT34's hacked victims, mostly comprising of username and password combos that appear to have been collected through phishing pages.
ZDNet was previously aware of some of these tools and victim data after this reporter received a tip in mid-March. In a Twitter DM, a Twitter user shared some of the same files that were discovered today on Telegram, and we believe that this Twitter user is the Telegram Lab Dookhtegan persona.
In our Twitter conversation, the leaker claimed to have worked on the group's DNSpionage campaign, but this should be taken with a grain of salt, as the leaker could very well be a member of a foreign intelligence agency trying to hide their real identity while giving more credence to the authenticity of Iran's hacking tools and operations.
Several cyber-security experts have already confirmed the authenticity of these tools. Chronicle, Alphabet's cyber-security division, confirmed this to ZDNet earlier today.
In the Telegram channel discovered today, the hacker leaked the source code of six hacking tools, and the content from several active backend panels, where victim data had been collected.
- Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks names BondUpdater)
- PoisonFrog (older version of BondUpdater)
- HyperShell (web shell that Palo Alto Networks calls TwoFace)
- HighShell (another web shell)
- Fox Panel (phishing kit)
- Webmask (DNS tunneling, main tool behind DNSpionage)
Besides source code for the above tools, Dookhtegan also leaked on the Telegram channel data taken from victims that had been collected in some of APT34's backend command-and-control (C&C) servers.
APT34 victim data
In total, according to Chronicle, Dookhtegan leaked data from 66 victims, mainly from countries in the Middle East, but also Africa, East Asia, and Europe.
Data was taken from both government agencies, but also from private companies. The two biggest companies named on the Telegram channel are Etihad Airways and Emirates National Oil. A list of the victims (but without company/government agency names) is available here.
Data leaked from each victim varied, ranging from usernames and password combos to internal network servers info and user IPs.
Additionally, Dookhtegan also leaked data about past APT34 operations, listing the IP addresses and domains where the group had hosted web shells in the past, and other operational data.
APT34 web shells
Besides data on past operations, the leaker also doxxed Iranian Ministry of Intelligence officers, posting phone numbers, images, and names of officers involved with APT34 operations. For some officers, Dookhtegan created PDF files containing their names, roles, images, phone numbers, email addresses, and social media profiles.
It was clear from the detailed doxing packages that the leaker had a bone to pick with the Iranian Ministry of Intelligence officers, to which he referred many times as "cruel," "ruthless," and "criminal."
"We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them," Dookhtegan said in a Telegram message posted last week.
The leaker also posted screenshots on the Telegram channel alluding to destroying the control panels of APT34 hacking tools and wiping servers clean.
APT34 destroyed server
APT34 BIOS destroy
The data leaked on this Telegram channel is now under analysis by several cyber-security firms, ZDNet was told. It has also made its way on other file sharing sites, such as GitHub.
"It's likely this group will alter their toolset in order to maintain operational status," Brandon Levene, Head of Applied Intelligence at Chronicle, told ZDNet today in an email "There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use."
This is because the tools aren't sophisticated and aren't top-tier tools like the ones leaked in the Shadow Brokers' NSA leak. Nation-state or criminal groups who will reuse these tools will most likely do it as a smoke-screen or false flag, to mask their operations as APT34.
https://www.zdnet.com/article/source-co ... -telegram/
A Mystery Agent Is Doxing Iran's Hackers and Dumping Their Code
Nearly three years after the mysterious group called the Shadow Brokers began disemboweling the NSA's hackers and leaking their hacking tools onto the open web, Iran's hackers are getting their own taste of that unnerving experience. For the last month, a mystery person or group has been targeting a top Iranian hacker team, dumping their secret data, tools, and even identities onto a public Telegram channel—and the leak shows no signs of stopping.
Since March 25, a Telegram channel called Read My Lips or Lab Dookhtegan—which translates from Farsi as "sewn lips"—has been systematically spilling the secrets of a hacker group known as APT34 or OilRig, which researchers have long believed to be working in service of the Iranian government. So far, the leaker or leakers have published a collection of the hackers' tools, evidence of their intrusion points for 66 victim organizations across the world, the IP addresses of servers used by Iranian intelligence, and even the identities and photographs of alleged hackers working with the OilRig group.
"We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks," read the original message posted to Telegram by the hackers in late March. "We hope that other Iranian citizens will act for exposing this regime’s real ugly face!"
The exact nature of the leaking operation and the person or people behind it are anything but clear. But the leak seems intended to embarrass the Iranian hackers, expose their tools—forcing them to build new ones to avoid detection—and even compromise the security and safety of APT34/OilRig's individual members. "It looks like either a disgruntled insider is leaking tools from APT34 operators, or it’s a Shadow Brokers–esque sort of entity interested in disrupting operations for this particular group," says Brandon Levene, head of applied intelligence at the security firm Chronicle, which has been analyzing the leak. "They do seem to have something out for these guys. They’re naming and shaming, not just dropping tools."
As of Thursday morning, the Read My Lips leakers continued to post names, photos, and even contact details of alleged OilRig members to Telegram, though WIRED couldn't confirm that any of the identified men were actually connected to the Iranian hacker group. "From now on, we will expose every few days the personal information of one of the cursed staff and secret information from the vicious Ministry of Intelligence so to destroy this betraying ministry," a message posted by the leakers on Thursday read.
Chronicle's analysts confirm that at least the hacking tools released are in fact OilRig's hacking tools, as the leakers claimed. They include, for instance, programs called Hypershell and TwoFace, designed to give the hackers a foothold on hacked web servers. Another pair of tools called PoisonFrog and Glimpse appear to be different versions of a remote-access Trojan called BondUpdater, which researchers at Palo Alto Networks have observed OilRig using since last August.
Beyond leaking those tools, the Read My Lips leaker also claims to have wiped the contents of Iranian intelligence servers, and posted screenshots of the message it says it left behind, like the one shown below.
Lab Dookhtegan/Read My Lips
When the Shadow Brokers spilled their collection of secret NSA hacking tools over the course of 2016 and 2017, the results were disastrous: The leaked NSA hacking tools EternalBlue and EternalRomance, for instance, were used in some of the most destructive and costly cyberattacks in history, including the WannaCry and NotPetya worms. But Chronicle's Levene says that the dumped OilRig tools aren't nearly as unique or dangerous, and the leaked versions of the webshell tools in particular are missing elements that would allow them to be easily repurposed. "It’s not really cut and paste," Levene says. "Re-weaponizing of these tools isn't likely to happen."
Another tool included in the leak is described as "DNSpionage" malware and described as "code used for [man-in-the-middle] to extract authentication details" and "code for managing the DNS hijacking." The DNSpionage name and description match an operation that security firms uncovered late last year and have since attributed to Iran. The operation targeted dozens of organizations across the Middle East by altering their DNS registries to redirect all their incoming internet traffic to a different server where the hackers could silently intercept it and steal any usernames and passwords it included.
Subscribe to WIRED and stay smart with more of your favorite Ideas writers.
But Chronicle's Levene says that despite appearances, Chronicle doesn't believe the DNSpionage malware in the leak matches the malware used in that previously identified campaign. The two DNS hijacking tools do, however, appear to have similar functionality, and the two hacking campaigns at least shared some victims. The Read My Lips leak includes details of server compromises that OilRig established in a broad array of Middle Eastern networks, from Abu Dhabi's airports to Etihad Airways to the National Security Agency of Bahrain, to the Solidarity Saudi Takaful Company, a Saudi Arabian insurance firm. According to Chronicle's analysis of the leaked victim data, OilRig's targets are as diverse as a South Korean gaming company and a Mexican government agency. But most of the hackers' dozens of victims are clustered in the Middle East, and some were also hit by DNSpionage, Levene says. "We don't see any link with DNSpionage, but there is victim overlap," he says. "If they’re not the same, at least their interests are mutual."
For OilRig, the ongoing leak represents an embarrassing setback and operational security breach. But for the security research community, it also offers a rare view into the internals of a state-sponsored hacking group, Levene says. "We don’t often get a look into state-sponsored groups and how they operate," he says. "This gives us some idea of the scope and scale of this group's capabilities."
Even as the Read My Lips leaker reveals the Iranians' secrets, however, the source of those leaks remains a mystery. And judging by its Telegram claims, it's only getting started. "We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers," reads a message from the group posted last week. "We are determined to continue to expose them. Follow us and share!"
https://www.wired.com/story/iran-hacker ... d-my-lips/