Source code of Iranian cyber-espionage tools leaked on Telegram
In an incident reminiscent of the Shadow Brokers leak that exposed the NSA’s hacking tools, someone has now published similar hacking tools belonging to one of Iran’s elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten.
The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless.
Victim data also dumped online
The tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan pseudonym.
Besides hacking tools, Dookhtegan also published what appears to be data from some of APT34’s hacked victims, mostly comprising of username and password combos that appear to have been collected through phishing pages.
ZDNet was previously aware of some of these tools and victim data after this reporter received a tip in mid-March. In a Twitter DM, a Twitter user shared some of the same files that were discovered today on Telegram, and we believe that this Twitter user is the Telegram Lab Dookhtegan persona.
In our Twitter conversation, the leaker claimed to have worked on the group’s DNSpionage campaign, but this should be taken with a grain of salt, as the leaker could very well be a member of a foreign intelligence agency trying to hide their real identity while giving more credence to the authenticity of Iran’s hacking tools and operations.
Several cyber-security experts have already confirmed the authenticity of these tools. Chronicle, Alphabet’s cyber-security division, confirmed this to ZDNet earlier today.
In the Telegram channel discovered today, the hacker leaked the source code of six hacking tools, and the content from several active backend panels, where victim data had been collected.
– Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks names BondUpdater)
– PoisonFrog (older version of BondUpdater)
– HyperShell (web shell that Palo Alto Networks calls TwoFace)
– HighShell (another web shell)
– Fox Panel (phishing kit)
– Webmask (DNS tunneling, main tool behind DNSpionage)
Besides source code for the above tools, Dookhtegan also leaked on the Telegram channel data taken from victims that had been collected in some of APT34’s backend command-and-control (C&C) servers.
In total, according to Chronicle, Dookhtegan leaked data from 66 victims, mainly from countries in the Middle East, but also Africa, East Asia, and Europe.
Data was taken from both government agencies, but also from private companies. The two biggest companies named on the Telegram channel are Etihad Airways and Emirates National Oil. A list of the victims (but without company/government agency names) is available here.
Data leaked from each victim varied, ranging from usernames and password combos to internal network servers info and user IPs.
Additionally, Dookhtegan also leaked data about past APT34 operations, listing the IP addresses and domains where the group had hosted web shells in the past, and other operational data.
Besides data on past operations, the leaker also doxxed Iranian Ministry of Intelligence officers, posting phone numbers, images, and names of officers involved with APT34 operations. For some officers, Dookhtegan created PDF files containing their names, roles, images, phone numbers, email addresses, and social media profiles.
It was clear from the detailed doxing packages that the leaker had a bone to pick with the Iranian Ministry of Intelligence officers, to which he referred many times as “cruel,”http://www.zdnet.com/”ruthless,” and “criminal.”
“We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them,” Dookhtegan said in a Telegram message posted last week.
The leaker also posted screenshots on the Telegram channel alluding to destroying the control panels of APT34 hacking tools and wiping servers clean.
The data leaked on this Telegram channel is now under analysis by several cyber-security firms, ZDNet was told. It has also made its way on other file sharing sites, such as GitHub.
“It’s likely this group will alter their toolset in order to maintain operational status,” Brandon Levene, Head of Applied Intelligence at Chronicle, told ZDNet today in an email “There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use.”
This is because the tools aren’t sophisticated and aren’t top-tier tools like the ones leaked in the Shadow Brokers’ NSA leak. Nation-state or criminal groups who will reuse these tools will most likely do it as a smoke-screen or false flag, to mask their operations as APT34.