The Strange Death of an Iranian IRGC Cyber Commander

Funeral reception of Mohammad Hussein Tajik

News of the assassination of an Iranian Cyber manager has recently been released. Mohammad Hussein Tajik, the cyber manager of the Iranian Revolutionary Guards Corp (IRGC), was assassinated in his home in July 2016. His torture and death seem strange…read on.

History

Mohammad Hussein Tajik was an accomplished mathematician (having being a Silver medalist at a Mathematical Olympiad, which is a great award in Iran and opens many doors).Tajik’s career up to March 2013 involved:

  • Technical office at MOIS (Iranian Ministry of Intelligence)
  • IRGC Sarollah Headquarters (responsible for the security of Tehran and the surrounding province)
  • Deputy Head of the Kheybar Corps (responsible for stopping religious or civil disorder)
  • IRGC Quds Force (Special operations unit that operates abroad)

Arrest & Detention

In March or April of 2013, Tajik was arrested on charges of spying and he was then taken to the MOIS detention center at Hejrat. A court summons for Tajik was issued on 13th July 2013. After that, Tajik was taken in August or September 2013 to the 209 Wing of Evin prison.

Court summons for Mohammad Hussein Tajik


Interrogation & Torture

According to the Christian website vocir.org, Tajik was tortured and his confession was extracted by means of having boiling water poured on his penis and being held for 6 months in a deep pit (or “grave”) with a bright light shone on him constantly.

The Death of Tajik

After Tajik’s release, it was reported that he was, sometime in early July 2016 (believed to be the 7th of July), talking on the telephone to a “news source” when his father (a MOIS operative), along with another MOIS operative, entered his home and at that point Tajik had told the “news source” that he would call him back in an hour. Tajik never called back because he had been murdered by his own father and other MOIS operative.

It was reported that Mohammad Hussein Tajik’s body was very bloody (indicating a violent death) and that his body was covered in plastic bags before being covered in a burial shroud, to prevent the blood showing. It is stated that MOIS demanded that no autopsy be carried out, obviously to try and cover up the murder.

An unconvincing forgery

As if it were not odd enough that a MOIS operative would kill his own son (MOIS and IRGC do not get on), but killing your own son is extreme, even for MOIS… the official letter (see below) concerning Tajik’s case looks like a forgery or is the work of an intelligence agency? You decide. The document looks odd because we’ve all seen leaked official documentation and this does not look genuine. Why?:

  1. Where is the letterhead in such an “official” document?.
  2. There are multiple spelling mistakes. 
  3. For an official document, the writing style is too informal.
  4. Why can we not see the document reference number or the signature?.


Letter informing the court of witnesses who are linked with the case

References:

  

Zero Days: Film about Nitro Zeus & Stuxnet


 

Zero Days is a new film about investigations of the world’s first cyber weapon known as Stuxnet and Operation Olympic Games. Stuxnet is malicious software that can obscure and harm critical data. The film talks about another even more powerful cyber weapon, known as Nitro Zeus.

Stuxnet

Stuxnet is a malicious cyber worm, possibly of US and Israeli origin, It targeted the Iranian nuclear facilities at Natanz to make it look like a number of accidents.

Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes e.g.control machinery on factory assembly lines, or centrifuges for separating nuclear material.

Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet compromised Iranian PLCs, collecting information on industrial systems and causing the centrifuges to be destroyed.

Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in automobile or power plants), the majority of which reside in Europe, Japan and the US.Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.


Operation Olympic Games

Operation Olympic Games was a covert and campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities by the United States and maybe also by Israel.

Nitro Zeus

Nitro Zeus provided the NSA (National Security Agency) the ability to attack Iran’s command-and-control systems, which would obstruct the whole country’s communication capabilities.

The state-sponsored cyber hack would also disable Iranian air defenses, and harm financial systems as well as vital components of the power grid. This would allow US and Israeli aircraft to survey the area without being shot down.

The operation was in place as a second option just in case diplomacy and negotiations did not go smoothly. The cyber program was never actually used.

Film

The Zero Days trailer can be found at the official site here


  

Powerful Iran? Iranian Twitter Bots #FAIL


The Iranians appear to be engaged in a strange soft-war propaganda campaign projecting to a Western audience using the hashtag, “Powerful_Iran” (#powerful_iran)

Multiple fake Twitter accounts have been publishing content from accounts with English names and profile photographs of Hollywood celebrities. The tweets have photographs of Iranian military equipment and cover a range of countries, media outlets, political slogans and other issues.

All of the tweeted photos have a logo of a dove with a rifle on its back showing the Iranian flag. They also include a caption using the “Powerful Iran” hashtag in English, Arabic and Persian.  Many of the tweets have images which vainly state that, “Islamic Republic of Iran is an international power” If you say so…


Here are some of the obviously fake Twitter accounts (seems that these 16 accounts are sending most of the tweets):

@daniel_mathew12 (created:12/15/2015)
@coreenwright3 (created: 12/26/2015)
@brianrauscher3 (created: 12/15/2015)
@harrisonangela5 (created: 12/15/2015)
@Williams2070 (created: 12/27/2015)
@daisybailey01 (created: 12/27/2015)
@EthelBell2016 (created: 12/26/2015)
@charlesmeyer201 (created: 12/26/2015)
@agustinarobbin1 (created: 12/27/2015)
@thomasanaya3 (created: 12/26/2015)
@Halina1321 (created: 12/13/2015)
@Peggy_Seitz (created: 12/26/2015)
@stefan_witcher (created: 12/26/2015)
@TillieMedeiros (created: 12/26/2015)
@shahab945 (created: 08/05/2015)
@pablofisher1990 (created: 12/22/2015)

The profiles are fake because:

  1. They have clearly mostly been created around the same time.
  2. They replay the same content between profiles.
  3. They don’t tweet about much else!
  4. They have a lot of followers & tweets in a short time.
  5. They use images of celebrities, obviously!


Similarities to Letter4u

Last year, the hashtag “Letter4u” was used by many bot-like accounts following the release of an open letter by Iran’s supreme leader addressed to Western youth and the “Powerful_Iran” shows similarities to that campaign: “Letter4u” was also launched by an army of bots using photos of celebrities and also used a similar range of random hashtags. The themes of the tweets coincides with the predictable goals of the Iranian state, that is to destroy Israel and shut down traffic in the Persian Gulf, suggestions that Israel and Saudi Arabia are working together, & that Iran is a major global military country.

While it’s not entirely clear who is behind the “Powerful_Iran” campaign, but it gained traction following the nuclear agreement between the West & Iran.

#FAIL

John Little, author of Blogs of War states that, “…the campaign is a miserable failure. Almost all of the tweets have gone unnoticed and have no retweets or favourites. The few interactions that I can find also appear to be faked by other bots”.   

Links

You can follow the Twitter & Telegram accounts for: @powerful_iran

  

Iranian Hackers Attack State Dept. via Social Media Accounts


Iran launched sophisticated computer espionages leading to a series of cyberattacks against US State Department officials over the past month.

It is possible that cyberespionage is becoming the tool of seeking the type of influence that Iranian hardliners hoped that that country’s nuclear program will eventually provide.

According to diplomatic and law enforcement officials who are familiar with the investigation Iranian hackers over the past month identified individual State Department officials who focus on Iran and the Middle East and broke into their email and social media accounts. The State Department became aware of the compromises when Facebook told the victims that the state-sponsored hackers compromised their accounts.

Iran’s cyberskills are not yet equal to those of Russia or China but the attack against the State Department by using the social media accounts of young government employees to gain access to their friends across the administration is a focus that was not seen before.

Iranians have been less destructive than they could be, but they are getting far more aggressive in cyberespionage, which they know is less likely it will prompt a response from the United States.

Iranian hackers have been responsible for a series of powerful attacks against American banks that took their websites offline as well as a destructive attack on Saudi Aramco, the world’s largest oil producer, that replaced data on employee machines with an image of a burning American flag. American government officials also blame Iran for a similarly destructive attack at RasGas, the Qatari natural gas giant,and for an attack on Sands Casino in Las Vegas, where a large number of computers were destroyed.

Last year Iranians began using cyberattacks for espionage rather than for destruction and disruption. From May 2014 Iranian hackers were targeting Iranian dissidents and later policy makers,senior military personnel and defense contractors in the United States, England and Israel.

The attacks were basic “spear phishing” attempts, in which attackers tried to lure their victims to click on a malicious link, in this case by impersonating members of the news media.
Iranian hackers were successful in more than a quarter of their attempts. The number of such attacks reached its climax in May just ahead of the nuclear talks in Vienna in July and reached more than 1,500 attempts.

In the months before the talks, Iran’s hackers began probing critical infrastructure networks in what appeared reconnaissance for cyberattacks with the objective of causing physical damage but in June and July as American and Iranian negotiators gathered in Vienna to agree a deal on Iran’s nuclear program, attacks against targets in the United States stopped. Instead of this, Iran started targeting victims in Israel as well as members of Daesh in July as the militant group began expanding territory across Iraq.

Then in August just two weeks after the nuclear accord was reached, the trickle of cyberattacks against the group’s usual targets resumed against included 1600 individuals from scholars, scientists, chief executives and ministry officials to education institutes, journalists and human rights activists. If facebook last month had not decided to use a new alert system to notify users when facebook’s security team believed state-sponsored hackers had hijacked their accounts, and US State Department officials began to see a troubling new message pop up on their facebook accounts, it is possible that the victims didn’t learn of the compromises.

  

Duqu 2.0: ‘Almost Invisible’ Cyber Espionage Tool Targeted Russian Co., Linked to Iran Nuclear Talks

 
A Russiancyber security company says that it has discovered a highly-technical, “almost invisible” cyber espionage tool that targeted the company’s own servers and other systems around the world, including some linked to the controversial Iranian nuclear negotiations.
KasperskyLabs which is based in Moscow announced that the discovery of the worm, called Duqu 2.0, which the company said it found this spring after the worm had penetrated through its system for “months.”
Kaspersky claims that after discovering the worm, started its investigation to find out other victims of the attack and found that some of the “infections are linked to the P5+1 events and venues related to negotiations with Iranabout a nuclear deal.”
The Wall Street Journal was the first news agency to publish the news about Duqu 2.0. According to the Wall Street, computers at three luxury European hotels where negotiations had been held were among the worm’s victims.

Eugene Kaspersky said that the company cannot say definitely who is behind the attack, but he believes that due to its sophistication and technical links to previous next-generation computer worms, the attack is most possibly been carried out by a government.

Kaspersky said that the name of the Duqu 2.0 was chosen for this worm because it appeared to be an upgraded version of the Duquworm which was another highly-sophisticated espionage tool discovered in 2011.
Kaspersky said, We can’t prove attribution because they’re going through proxy servers. “There are technical attributions we can read from the code. This attack is a relative, it’s a new generation of the Duqu attack, most probably made by the same people, or they shared the source code with others.”
Symantec which is a large cyber security company in America agreed that Duqu 2.0 is a evolution of the original threat that was created by the same group of attackers.

Symantec also reported Duqu 2.0 appears to have targeted European and North African telecom operators and a South East Asian electronic equipment manufacturer. Symantec had reported in 2012 that the Duqu threat had not been eliminated and that a new version of the worm had been discovered then.
Duqu and Duqu 2.0 is closely linked to Stuxnet, which is a revolutionary cyber-weapon that was believed to have physically damaged an Iranian nuclear facility and that was suspected to be a result of the joint US-Israeli top secret operation’s. 
 

When the original Duqu was discovered in 2011, Symantec reported that it “shares large number of codes with Stuxnet” and the same suspicions were raise about whether the attackers were the same or if source code had been shared.
Wall Street Journal in its report today said that Duqu 2.0 was “commonly believed to be used by Israeli spies.”
But according to Kaspersky Labs, Duqu 2.0 code also included a number of “false flag” clues to hide/mislead who was behind it. One was a mention in the code of a nickname for a Chinese military officer who was one of five indicted by the U.S. in an extraordinary move by the Department of Justice against Chinese cyber espionage. Another report mentioned a prolific Romanian hacker.
Kaspersky claims that such false flags are relatively easy to spot, especially when the attacker is very careful not to make any other mistakes,”
  

Iran Calls for Broader International Cooperation in Campaign Against Cyber Crimes

Head of Iran Cyber Police (FATA) General Seyed Kamal Hadianfar asked for collective efforts by all world states to prevent the spread of cyber crimes throughout the globe.


General Hadianfar said in meeting with the representative of the UN Office on Drugs and Crime (UNODC) to Tehran Leik Boonwaat on Wednesday: “effective international cooperation is an important and determining factor in prosecuting and confronting cyber crimes.”
 
Boonwaat for his part, vowed that the UNODC will seriously pursue campaign against cyber crimes in Iran.

Iran hosted a conference and a regional workshop on international cooperation and campaign against cyber crimes on August 13-14.

Eight regional countries, representatives of Interpol, UNODC and Iran Cyber Police chief took part in the conference

The conference and the workshop were held to strengthen international cooperation on prosecuting cyber crimes and reinforce cyber space police forces of the neighboring countries.

In October 2013 Iran’s Deputy Police Chief Brigadier General Ahmad Reza Radan said that the country’s Cyber Police unit has greatly improved its infrastructures and is able to discover and detect over 60% of cyber related crimes.

Radan said: “Right now, the Iranian Law Enforcement Police have made eye-catching progress in the field of cyber infrastructures”.

On January 23, 2011 Iran Cyber Police started its work to prevent espionage and sabotage activities through the internet.
  

Iran: The World’s Worst Cyber-Terrorists – For Now

Iran became a major cyber terror threat to the US in the last 12 months and targeted several US government agencies but with regard to the Iranian lack of skills in this area it means that for now it has not been possible that Iran causes significant damage. Iran is more than five years behind countries like China, the US and Russia in terms of cyber capabilities but with the right resources that gap could be removed quickly especially considering Iran is the historical enemy of the US.

Security company Mandiant in its latest report describes Iran’s development from cyber-obscurity to becoming a credible but unsophisticated threat. Mandiant is the same company which last year revealed the extent that Chinese government funded cyber espionage was carried out. In the company’s report M Trends 2014 it is written that “threat actors” based in Iran “pose an ever-increasing threat due to Iran’s historical hostility towards US business and government interests.”

The report reveals that it observed “threat actors” based in Iran who target the networks of several US government agencies. In the report it is written that “Employees at a US state government office discovered evidence that someone had accessed multiple systems within their network without authorization. An internal IT department investigation found indications of data theft and unauthorized use of privileged credentials.”
The security company said that the data that these actors steal “lacked a discernible focus or demonstrated intent”. This suggests that the purpose of the attack is more likely “reconnaissance of the potential target’s networks.” Attacks that originate in Iran, are on a very low level of technical skill and those carrying out the attacking use off-the-shelf tools which are relatively easy to defend. Mandiant says that the victim detects 75% of all attacks from Iran.