The Strange Death of an Iranian IRGC Cyber Commander

Funeral reception of Mohammad Hussein Tajik

News of the assassination of an Iranian Cyber manager has recently been released. Mohammad Hussein Tajik, the cyber manager of the Iranian Revolutionary Guards Corp (IRGC), was assassinated in his home in July 2016. His torture and death seem strange…read on.

History

Mohammad Hussein Tajik was an accomplished mathematician (having being a Silver medalist at a Mathematical Olympiad, which is a great award in Iran and opens many doors).Tajik’s career up to March 2013 involved:

  • Technical office at MOIS (Iranian Ministry of Intelligence)
  • IRGC Sarollah Headquarters (responsible for the security of Tehran and the surrounding province)
  • Deputy Head of the Kheybar Corps (responsible for stopping religious or civil disorder)
  • IRGC Quds Force (Special operations unit that operates abroad)

Arrest & Detention

In March or April of 2013, Tajik was arrested on charges of spying and he was then taken to the MOIS detention center at Hejrat. A court summons for Tajik was issued on 13th July 2013. After that, Tajik was taken in August or September 2013 to the 209 Wing of Evin prison.

Court summons for Mohammad Hussein Tajik


Interrogation & Torture

According to the Christian website vocir.org, Tajik was tortured and his confession was extracted by means of having boiling water poured on his penis and being held for 6 months in a deep pit (or “grave”) with a bright light shone on him constantly.

The Death of Tajik

After Tajik’s release, it was reported that he was, sometime in early July 2016 (believed to be the 7th of July), talking on the telephone to a “news source” when his father (a MOIS operative), along with another MOIS operative, entered his home and at that point Tajik had told the “news source” that he would call him back in an hour. Tajik never called back because he had been murdered by his own father and other MOIS operative.

It was reported that Mohammad Hussein Tajik’s body was very bloody (indicating a violent death) and that his body was covered in plastic bags before being covered in a burial shroud, to prevent the blood showing. It is stated that MOIS demanded that no autopsy be carried out, obviously to try and cover up the murder.

An unconvincing forgery

As if it were not odd enough that a MOIS operative would kill his own son (MOIS and IRGC do not get on), but killing your own son is extreme, even for MOIS… the official letter (see below) concerning Tajik’s case looks like a forgery or is the work of an intelligence agency? You decide. The document looks odd because we’ve all seen leaked official documentation and this does not look genuine. Why?:

  1. Where is the letterhead in such an “official” document?.
  2. There are multiple spelling mistakes. 
  3. For an official document, the writing style is too informal.
  4. Why can we not see the document reference number or the signature?.


Letter informing the court of witnesses who are linked with the case

References:

  

Iran’s “Rocket Kitten” Group Claim Compromise of Iranian Telegram Accounts

Following on from my article here about the Iranian Cyber Police asking Iranians to stop using Telegram, it appears that the Iranian hacking group known as Rocket Kitten is behind a compromise of 15 million Telegram accounts used by Iranians.
 
Telegram is a very popular messaging app in Iran and almost 25% of the Iranian population are using the app every day.

Iranian authorities have previously demanded that Telegram provide them with “spying and censorship tools”. Telegram ignored the request and was blocked in Iran for around two hours on October 20 2015. Telegram does not have any servers in Iran, making the Iranian regime’s job harder to try and censor Telegram. This compares to the regime “banning” Twitter and Facebook, even though Iranians can use Tor or anonymous VPNs to get around the Iranian Internet filters…

Rocket Kitten

Rocket Kitten refers to a cyber threat group that has been attacking various organizations, such as members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents.
Rocket Kitten has launched two known campaigns: a malware campaign that uses the GHOLE malware, and a targeted attack called “Operation Woolen-GoldFish” which is probably run by the Iranian regime. Rocket Kitten’s attacks were similar to ones attributed to the Iran’s Revolutionary Guards Corp (IRGC). You can read more about Rocket Kitten here


Telegram attack

Rocket Kitten managed to obtain public information and phone numbers from 15 million Iranian users of the Telegram messaging app, as well as the associated Telegram user IDs. They compromised over 12 Telegram accounts and jeopardized the communications of people including activists and journalists in sensitive positions within Iran.

Telegram responded by saying, “Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed.”

Importantly, Telegram have since changed their API so that similar mass checks on accounts should no longer be possible: Telegram 1, Iranian Regime 0!

The Telegram vulnerability involved sending authorization codes via SMS text messages to activate new devices and these could be intercepted by the phone company. So, this means a Man In The Middle (MITM) attack capability by a country that has access to telecommunications networks. This further implicates Rocket Kitten as being part of the Iranian regime.


A word from the Iranian Cyber Police

The Cyber Police of Iran (FATA) have transparently tried to un-link the association between Rocket Kitten and the Iranian government by blaming Telegram’s “weakness”. No one believes them…


The legal and international deputy of the Cyber Police, Colonel Hossein Ramazani, said that the hackers did not get access to personal details of victims and that, “What is clear to us is the vulnerability and weakness which always existed in the service because of its text message confirmation system, through which [hackers] have gained access to the users’ phone numbers. Then contents of people’s chats and personal details, however, have not been compromised” Well, he obviously is not going to admit the regime did it, is he?

Use 2FA!

Telegram supports the use of Two-Factor Authentication (2FA), but is not enabled by default. That means users of Telegram should setup 2FA if they have not already done so, to prevent interception of SMS-verification codes via cellular networks (even if Telegram claim the mass lookup interception loophole is fixed). Perhaps Telegram should start enabling 2FA by default!

  

Iranian Hackers Attack Iranian Government Portals & Banks


The IRGC Organized Cyber Crime Investigation Center have reported that over 3,000 Iranian websites have been hacked by a group called the Mafia Hacking Team.

According to Tasnim news, IRGC Organized Cyber Crime Investigation Center spokesman Mostafa Alizadeh stated that, “The person who recently hacked state bodies’ websites managed to access banks’ data bases, including 3,000 pay slips… the person who introduced themselves as ‘Mafia Hacking Team’ in cyberspace and hacked websites of state bodies had identified well-known sites more than a year ago”



Alizadeh also added that, “This hacker tried to make these bodies realize that the security hole that exists in their portals but they did not pay any attention to this”. In other words, Iran has been caught with her cyber-underwear exposed and is very red faced!

Mostafa Alizadeh stated that the attacker had also hacked various bank information, but did not publish the information (including 3,000 payslips) as the attacker “did not have criminal intentions”, according to Alizadeh.
So it seems that Mafia Hacking Team are not black hat hackers but perhaps gray hat hackers?

The IRGC said that of the 3,000 websites attacked, 38 were Government sites, including the National Organization for Civil Registration (reported by the Iranian Young Journalists Club), Roads and Urban Development, Customs, Industries and Mines organizations. In addition, 370 University sites were also attacked.

Alizadeh was at least honest enough to admit that those “organizations do not use firewalls and lack enough experts for updating their security means”. Not the best cyber security policy perhaps…

  

U.S. Indicts Iranians for Hacking Many Banks & New York Bowman Dam


On Thursday March 24 2016, the US Department of Justice indicted seven hackers associated with the Iranian government, making history for the first time where the USA has charged state-sponsored individuals with hacking to disrupt important US industry networks.
The crimes include attacking U.S. banking websites between 2011 to May 2013 and also breaking into a computer system at Bowman Dam in Rye Brook, Westchester County, NY in a possible attempt to disrupt the operation of the dam.

The attackers have been charged with conspiracy to commit and aid and abet computer hacking for their roles in hacks of the U.S financial sector on more than 176 days.

According to the indictment, all seven men were working for two Iranian computer security companies — ITSecTeam and MERSAD Co. — on behalf of the Iranian Revolutionary Guard Corps (IRGC), a branch of the Iranian military established to defend the country’s Islamic system and promote its ideology.

The indictment alleges that the suspects caused DDoS attacks to crash the sites of 46 U.S. financial institutions. At one point, the attacks happened almost weekly and affected many major institutions. The indictment alleges such actions left hundreds of thousands of customers unable to access online bank accounts.

The seven identified hackers (see photo above),range in ages from 23 to 37 are:

Ahmad Fathi (37)
Hamid Firoozi (34)
Amin Shokohi (25)
Sadegh Ahmadzadegan (23)
Omid Ghaffarinia (25)
Sina Keissar (25) and
Nader Seidi (26)

Hamid Firoozi is charged alone for hacking the dam. Amin Shokohi allegedly received credit from the Iranian government toward his mandatory military service for his work in the attacks.

The affected institutions and businesses included:

  • Bank of America
  • Nasdaq
  • New York Stock Exchange (NYSE)
  • Capital One
  • AT&T
  • PNC

U.S. Attorney General Loretta E. Lynch said the attacks caused tens of millions of $USD in losses.

Sadegh Ahmadzadegan and Omid Ghaffarinia also claimed responsibility for hacking into NASA servers and defacing NASA websites, and Firoozi obtained access to a computer control system for the Bowman Avenue Dam. That access would have allegedly allowed Hamid Firoozi to operate and manipulate a gate on the dam. The attack by Hamid Firoozi took place between August 28 2013 and Sept 18 2013.
He was able to access information related to the status and operation of the dam and the status of the sluice gate—responsible for controlling water levels and flow rates.
However, at the time of the hacks the Bowman Dam sluice gate had been manually disconnected for maintenance.

Wrong target/dry run?

Mayor Paul Rosenberg in the village of Rye Brook, NY has theories why the sluice-gate small Bowman dam had been targeted by the Iranians.
One theory is that Iranian hackers had confused the dam with another dam named Bowman — the Arthur R. Bowman Dam on the Crooked River in Oregon. That dam is 245 feet tall and 800 feet long and is used to irrigate many local farms.
Mayor Rosenberg also thought the hackers had gone after the Rye Brook dam as a dry run for a more disruptive invasion such as, for example a major hydroelectric generator or some other part of the USA’s critical power grid.

Reasons, Iranian & Russian Collaboration

The reasons for the DDoS attacks by Iran are probably in response to strong economic sanctions by the USA and Europe in attempts to make Iran stop its nuclear activities.

The IRGC operates in the cyberspace using front companies, which allows the IRGC to circumvent Western law & give them some anonymity.

The Iranian state may be receiving help from Russian hackers affiliated with the Kremlin, which involves writing code or providing malware tools they can adapt.

Iran has previously been suspected in hacking attempts. A Wall Street Journal report linked the IRGC to similar hacking and phishing attempts targeting the email and social-media accounts of President Obama’s administration officials.

Details

The indictment can be read here

  

Ashiyane Security Team: agent of the Iranian regime

Ashiyane Security Group (officially Ashiyane Information and Communication Technology Company) is one of the oldest cyber security group in Iran (since around 2002).
Ashiyane started with the aim of teaching users and network administrators as well as improving the security level of the computer networks.
During the mass protest against the presidential election in 2009, Iran tried to control the protests in cyber space and since then Ashiyane Security Team trying to do so via hacking and identifying cyber activists which implied that Ashiyane cooperated with the Iranian Revolutionary Guards Corps (IRGC) and other security units leading many to believe that the “Iranian Cyber Army” group is actually also the Ashiyane group.

Before 2009 protests, Ashiyane was involved in activity for the state e.g. in response to the publication of cartoons depicting the Prophet Muhammad in Danish newspapers, over 1000 American, British and French websites were hacked by Ashiyane. News of Ashiyane activities was highly published by some news agencies such as Fars, IRNA and the newspapers such as Iran, Javan and Keyhan and was named as “Iran’s victories in cyber space”.

After changing the home page of this website, Ashiyane mostly displays a political message on the main page so that Behrouz Kamalian (team founder) said in an interview with Fars News Agency about this activity: “In response to the inhumane actions of the terrorism sponsors, headed by US and Britain, the new way of confronting is raised.”

Kamalian has also been quoted deflecting rumors about Ashiyane cooperating with the Islamic Republic Security System, “Ashiyane has also officially worked to improve the security of web sites and intranets and has served many governmental organizations, military and private companies. Unfortunately it has been announced that Ashiyane Group is affiliated to the government by many of the opposition websites with Iran’s government. I have said in my other interviews that our team is an independent group and is not affiliated with any other military or governmental organizations. We act spontaneously based on our bias and when we see a country insults our religion or our nationality, so we display our objection through penetrating into their sites and it does not mean that we have been ordered to do so. If Ashiyane was an affiliated group, it wouldn’t be able to easily interview with the media, and this freedom is a sign of our independency.”

Kamalian contradicted himself by also saying: “We get orders to hack different sites both from legal persons and individuals, but this is not part of our ordinary project and we reject many of these orders. We have never accepted to hack an internal websites to gain money. But there are websites that had insulted Quran and our religion. In these occasions we would also like to penetrate into these sites.”

Kamalian has also announced about the corporation of Ashiyane with Department of IRGC Cyber Defense: “We corporate with military organizations in the field of counselling and improving the security, but it is never in the way that we get order to work on their behalf.”

He created Alborz Hackers Group which was among the first groups of Iranian hackers in 2001 and met Mahdi Mirzaei there; this meeting caused the creation of a new group called Ashiyane Group in 2002.

This team started its activity by hacking the university’s websites in the country such as University of Science and Industry (Elm & Sanaat) and Amir Kabir University.

Hacking the Iranian sites would quickly lead the Ashiyane Group to get fame among those interested in Informatics Science and many security companies (in network and internet field) invited them to cooperate.

Increasing economic activities of the group tend Kamalian to decide about registration the Ashiyane Group as an official and legal company and after the registration, in addition to providing network and servers’ security, consulting services and selling security softwares, also hold hacking, cracking and network and server and also security training.

The project of hacking a Persian website called “Balatarin” was one of the Ashiyane’s activities that raised the most negative reactions; Ashiyane declared the project with the cooperation of Virtual Jihad Group affiliated with Basij of Students, but after the negative reactions toward it Bahman Kamalian denied any involvement in the hacking.

Members


Except the name and the photo of the director of the group there isn’t complete information neither about identity and reality of Ashiyane Group nor about other certain photo of its members, although research has revealed the names & handles below:
 

  • Behrouz Kamalian (Director, handle: Behrouz_ice)
  • Nima Salehi (member/manager, handle: Q7X)
  • Mahdi Chinichi (member/manager, handle: Virangar)
  • Omid Norouzi (member/manager, handle: Sha2ow)
  • Farshid Sargheini (member/manager, handle: Azazel)
  • Hamid Norouzi (member/manager, handle: eychenz)
  • Iman Honarvar (member, handle: iman_taktaz)
  • Keyvan Sedaghati (member, handle: keivan)
  • Ali Seid Nejad (member, handle: Ali_Eagle)
  • Milad Bokharaei (member, handle: ®Maste)
  • Mohammad Tajik (member, handle: taghva)
  • Meghdad Mohammadi (member, handle: M3QD4D)
  • Erfan Zadpoor (member, handle: PrinceofHacking)
  • Mohammad Reza Dolati (member, handle: HIDDEN-HUNTER)
  • Kaveh Jasri (member, handle: root3r)
  • Navid Naghdi (member, handle: elvator)
  • Mohammad Hadi Nasiri (member, handle: unique2world) 
  • Amin Javid (member, handle: Gladiator)
  • Vahid Maani (member, handle: WAHID 2)
  • Sina Ahmadi Neshat (member, handle: Encoder)
  • Milad Mazaheri (member, handle: mmilad200)
  • Armin (member, handle: n3me3iz)
  • Mohammad Mohammadi (member, handle: Classic)
  • Mahdi K. (member, handle: r3d.z0nE)
  • Mohammad Reza (member, handle: iNJECTOR)
  • Mohammad Reza Ali Babaei (member, handle: mzhacker)
  • Ramin Baz Ghandi (member, handle: fr0nk)
  • Ashkan Hosseini (member, handle: Http://Askn)
  • Ali Hayati (member, handle: Zend)
  • Milad Jafari (member, handle: Milad-Bushehr)
  • Mehrab Akherati (member, handle: AliAkh)
  • Amir Hossein Tahmasebi (member, handle: __amir__)
  • Amin Bandali (member, handle: anti206)
  • Shahin Salak Tootonchi (member, handle: ruiner_blackhat)
  • Poorya Mohammadrezaei (member, handle: Hijacker)

Mission


Apart from the security and anti-security activities of Ashiyane, it has established its hosting company, believing about the provided services: “Communication and Information Company of Ashiyane has decided to enter the hosting field due to analyzing the present situation of web hosting in Iran and realizing the lack of security and knowledgeable people in this field; in order to gratify the shortage, Ashiyane Host Company is ready to present high quality and security services. 

Considering the strength of the Ashiyane’s security team in hacking and security, being aware of up-to-date methods of penetrating, having access to illegal hacker communities,as well as utilizing these methods, Ashiyane applies its knowledge in security and configuration of the servers so that the company is able to close the penetration ways one step ahead of others and bring satisfaction to the customers.

Despite the remarkable statement of Ashiyane about its ability, while earlier it was also claimed that Ashiyane had discovered the security hole in the Telegram software messenger and the news quickly found a wide reflection in the media close to the Islamic Republic, the website of Ashiyane Security Group was hacked on July 1, 2014 and there was a black page appeared written in English: “This site has been hacked by Iranian Black Hat hackers group:” when the site was visited.

  

Project “Pistachio Harvest”


Months of research in Iranian networks is uncovering at least 16000 systems controlled by Iran outside borders and 2000 of these were infected machines of businesses in the US, Israel and other countries.

Many of the Internet Protocol addresses (IPs) of those machines are hosting .ir websites, domains that are used as platforms for attacks. According to the company, in many cases visitors to those sites are later infected with malware, software designed specifically for surveillance and to obtain valuable data from target organisations.

Most targets are in the US although attacks have also hit including UK, Israel, Germany and Canada. Various US and European hosting companies also have been abused. Cloud and hosting services of industry giants like Amazon and GoDaddy are used to launch the attacks.

Norse believes previous research into Iranian activity may included false assumptions about the actors involved as Iran has been able at creating disinformation and used more than 5000 fake social networking profiles to trick viewers to following tracks to nobody and nowhere.

iSight released a report and claimed that these fake profiles were used to spy on military leaders and political staff across the world.

Norse set up fake systems that appeared to belong to businesses and critical infrastructure providers that was attractive to attackers. The organization collected data of subsequent attacks and traced a large number to Iran. Norse also used “millions of sensors dropped all over the world” and analysis tools for tracing.

Turkey and Iran collaborate on cyber issues and is reported that Turkey in exchange for oil and other goods helped Iran circumvent US and European sanctions that were implemented in response to that country’s nuclear programs.

Rival security research firm CrowdStrike says that it tracks four different Iranian groups that it calls Kittens. Each Kitten is separate from the other and has its own modus operandi and target list. Finally there is Cutting Kitten.

Role of Iran’s Universities

Islamic Republic of Iran has other ways in encour aging IT entrepreneurs follow its commands. For example the role of government in Iran’s university system is enormous. The regime invested large amounts in building IT and other scientific infrastructure at the top educational institutions including Sharif Univer sity of Technology, Shahid Beheshti Universityand IRGC linked Malek Ashtar University and in return can direct research in ways to pursue regime objectives.

The development of Iran’s nuclear weapons program after 2003 is an example for understand ing the evolution of the relationship between gov ernment, security services and universities in IT. When Supreme Leader Khamenei ordered stop to Iran’s state nuclear weapons research program after the US invasion to Iraq in 2003 and his lieutenants built a new structure that spread rel evant research through the university system.

The scale and effects of this effort are visible but assessing the level of awareness and or willingness of all the univer sity participants in it is not easy and Iran’s IT sector works in a similar fashion. Government and secu rity institutions collaborate with universities in research to achieve government aims and make faculties and students components of regime strategic efforts. Students after graduation find themselves in a network of associations and research projects that mostly also supports regime priorities, whether they know or not.

The Islamic Republic also uses incentives created by mandatory military service to encourage aspiring young programmers to support state security efforts directly. At least one scientist involved in research related to development of nuclear weapons writes in his resume that he was exempted from com pulsory military service in exchange for work on a project deemed useful to the armed forces. This pro gram of exemption was developed in 2007.

Therefore Iran’s leaders have carefully and consciously built national IT, education and corporate infrastruc tures that produce excellently educated developers with incentives to pursue government objectives and not use skills against the government. They have involved Iran’s security organs especially the IRGC, through these structures in ways to allow the regime uses these IT and hacking capabilities with plausible deniability. In addition they have built an internet infrastructure designed to hide the sources of malicious activity and give the government the ability to monitor, regulate and control citizens access to the internet in extremely detailed ways.

Full details of the Norse Project Pistachio Harvest report are found here: www.pistachioharvest.com/#/dashboard
  

Iran Sentences 11 “Cyber-Activists” To Jail On Charges Of Having Ties to Foreigners

A court in Iran south east Kerman province sentenced a group of already jailed cyber-activists to prison terms from 1 to 11 years on charges of breaching national security.
Kerman Prosecutor Yadollah Movahhed said on June 19 that the sentenced persons are members of Paat Shargh Govashir technology group who had ties with foreign media and were preparing technical service for anti-government websites, Fars news agency reported.
He added that the verdict is not final and can be appealed.
Movahhed noted that the “defendants have “confessed” their guilt.
The mentioned Paat Shargh Govashir company owns Narenji, which was publishing tech news.
Eight Narenji bloggers, along with another eight cyber activists, were arrested by the Islamic Revolutionary Guard Corps (IRGC) in last December, accused of cooperation with Western news networks, designing and updating websites educating citizen reporters and cooperation with opposition websites.