Cyer Iran – Part 4

This podcast is the fourth part of a series of podcasts that will focus on the Iran Cyber leak that started during March 2019.

As always all the information discussed in this podcast is based on free public information available to anyone.

Screenshot of deleted server & message left by the hackers.

At the end of March 2019 a group calling themselves Read My Lips started leaking information and tools used by used by the Iranian Ministry of Intelligence, also known as APT34 / oilrig.

The person or organization standing behind this leak created a Telegram channel open to everyone and every few days share some more information. their pinned post declare that they are exposing the Iranian Ministry of intelligence and they hope that other Iranian citizens will act for exposing the regime real face.

This is the third podcast in the series examining Cyber Iran, this time the focus focus on one of the more famous cyberattacks that was made public against Iran and became known as Stuxnet (and its variants).
Full transcript of the podcast can be found at cybercure blog:

Some of the details that were released are very specific, for example they released the details of the managers in the Iranian Ministry of Intelligence which included names and phone numbers and other releases also included photos of the person in addition to the title and phone numbers, its difficult to say whether these details are real from open sources,

Linkedin profile of a cyber security ‘researcher’ in Iran Ministry of Intelligence

This leak is getting some international press but not as nearly as it should.

In addition to exposing different people they also shared screenshots of the process of getting control over Iranian government command and control botnet servers and shutting them down.

After they wiped the data from the servers, they left a message announcing they going to expose all the secrets.

Assuming that the screenshots are original, they show interesting things,

for example, it looks like the bots in the Iranian government were mostly located in Lebanon.

That rises the question, did Iran hacked into the computers in lebanon in order to gain control over them or maybe Lebanon gave access to the Iranian government to install cyber weapons on computers in Lebanon?

One of the reasons USA putting sanctions on Iran is because they want to stop them from influencing in the middle east, this is definitely an evidence about how much Iran and Lebanon are tied.

In other words to put  it in simple terms there are two options:

  1. It means Lebanon gave Iran permission to place cyber weapons (bots) in their country.
  2. It means Iran targeting Lebanon successfully to use as launchpad for cyber attacks.
screenshots of control panels, bots and command and controls are shared publicly.

There are also additional files that includes user names and passwords to different governments and critical infrastructure servers in countries located in Gulf region.

In earlier episode we discussed about Iran trying to shift its hacking from hacking to specific computers to try hacking multiple computers at once by targeting service providers such as DNS.

One of the releases also include tools that are used to attack service providers, while its difficult to authenticate the tools origin, it is still showing lots of similarities between attacks that were associated with Iran and the source files that were released.

the last time such massive leak of data from a cyber security agency happened was in 2016, when someone leaked to the internet classified files belong to the NSA.

That leak had significant impact as it also included non disclosed vulnerabilities at the operating system level which caused several waves of cyber attacks using payloads from the leak executing some of the most destructive and costly cyberattacks in history, including the WannaCry and NotPetya worms.

Shared image of supposed to be clown manager in the Iranian Offensive Cyber Unit

So far it looks like in Cyber Iran Leaks there were no leaks of undisclosed vulnerabilities or complete webshells or payloads that will allow to quickly exploit the codes but the only way to know for sure is to sit down and analyze the data like many people are doing it now around the world.

Whether this is a group of people, an individual or other type of secret entity, they are targeting specific people in the government who do terrible things to their own citizens and to others and they decided to fight it by exposing these people and methods, good-luck!

This is a good time to remind the importance of Cyber Threat Intelligence which in such cases can halt stopping sophisticated attacks that might result of such leaks.

Group link (Use at your own risk):

That’s it for this podcast, stay safe, and see you in the next podcast.

don’t forget to visit for the latest podcasts on cyber intelligence.