In a recent media publication Iran is once again exposed of its cyber espionage practices. An online hacker named Lab Dookhtegan recently leaked a hacking tool kit that is claimed to be a property of Iran’s espionage groups, commonly known as APT34, Oiling or HelixKitten, on Telegram. The leaks that have begun from mid of March have crucial data relating to the espionage campaign led by Iran based cyber group.
ZDNet noticed the hack when it came across a Twitter user id DMed that included some of the files earlier leaked on Telegram and published the report on it. As per the projection of identity, the twitter user is an entity that works on worked on the group’s DNSpionage campaign. However, ZDNet has speculated that it may be member of foreign intelligence agency trying to build a cover for the hacker Telegram Lab Dookhtegan persona.
The data that was been exposed post hack included six hacking tools: Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel, and Webmask. The authenticity of the exposed tools used by Iran cyber espionage is been testified by cyber-security experts including Chronicle and Alphabet’s cyber-security division.
Along with the sated testified tool, the hacker also released the content from several active backend panels that collected victim’s data. The released content had data of 66 victims belonging to Middle East region. The report explained that the hacked data was collected from both government and private companies. Data related to past hacks by APT34 was also released with the other information, including IP addresses, domains hosting web shells and other operational data.
Moreover, the hacker also ensured that it released specific public personal information of the Iranian Ministry of Intelligence officers who were involved with APT34 operations including phone numbers, images, and names, with the source code.
The hacker also said that it has for now destroyed the control panels of APT34’s hacking tools and wiped their servers clean so that they are not able to continue with their build operations and may have to start again.
The motivation of the hacker indicates that he may have had certain sort of grudge against Iranian Ministry of Intelligence as he referred them as “cruel,” “ruthless” and “criminal”.
The leak has attacked the ongoing state backed cyber espionage activity by Iran and now more and more security researchers are studying the Iranian hacking patterns , making it difficult for the cyber espionage groups to continue with their course of action.