A Mystery Agent Is Doxing Iran's Hackers And Dumping Their Code


Alyssa Foote at WIRED wrote: "NEARLY THREE YEARS after the mysterious group called the Shadow Brokers began disemboweling the NSA's hackers and leaking their hacking tools onto the open web, Iran's hackers are getting their own taste of that unnerving experience.

For the last month, a mystery person or group has been targeting a top Iranian hacker team, dumping their secret data, tools and even identities onto a public Telegram channel—and the leak shows no signs of stopping.

Since March 25, a Telegram channel called "Lab Dookhtegan" or "Read My Lips" has been systematically spilling the secrets of a hacker group known as APT34 or Oilrig, which researchers have long believed to be working in service of the Iranian government.

So far, the leaker or leakers have published a collection of the hackers' tools, evidence of their intrusion points for 66 victim organizations across the world, the IP addresses of servers used by Iranian intelligence, and even the identities and photographs of alleged hackers working with the OilRig group.

"We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks," read the original message posted to Telegram by the hackers in late March. "We hope that other Iranian citizens will act for exposing this regime’s real ugly face!"

The exact nature of the leaking operation and the person or people behind it are anything but clear. But the leak seems intended to embarrass the Iranian hackers, expose their tools—forcing them to build new ones to avoid detection—and even compromise the security and safety of APT34/OilRig's individual members.

"It looks like either a disgruntled insider is leaking tools from APT34 operators, or it’s a Shadow Brokers-esque sort of entity interested in disrupting operations for this particular group," says Brandon Levene, head of applied intelligence at the security firm Chronicle, which has been analyzing the leak. "They do seem to have something out for these guys. They’re naming and shaming, not just dropping tools."

As of Thursday morning, the "Read My Lips" leakers continued to post names, photos, and even contact details of alleged OilRig members to Telegram, though WIRED couldn't confirm that any of the identified men were actually connected to the Iranian hacker group.

"From now on, we will expose every few days the personal information of one of the cursed staff and secret information from the vicious Ministry of Intelligence so to destroy this betraying ministry," a message posted by the leakers on Thursday read.

Continue reading the story at WIRED:

Topics: Cybercrime

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews