Information Warfare: Vendetta

Archives

May 28, 2019: In March 2019 a hacker group calling itself Lab Dookhtegan (“sealed lips” in Farsi, the Iranian language) began releasing details of an Iranian APT (Advanced Persistent Threat) hacker group called OilRig. The details not only included the source code for the tools OilRig used but also details of who they attacked and, worst of all, personal details about members of OilRig. The Lab Dookhtegan never revealed details about who they were although there were indications that Lab Dookhtegan personnel were themselves hackers who may have worked for OilRig. Whatever the case, the OilRig disclosures did not cause OilRig to cease operations and even if efforts continue to track down OilRig personnel and shut down their current operations, OilRig will survive and possibly take a new name and carry on. This has happened before with veteran APTs. OilRig is also known as APT34.

The term APT has been used since the 1990s to describe a major threat to network security and originally referred to one type of attack or collection of hacker software. The term became increasingly common since the U.S. Air Force began using it in 2006 to describe major hacker groups, including ones that were part of government-backed Cyber War efforts. OilRig apparently worked for Iranian intelligence to spy on other nations in the Middle East. Lab Dookhtegan released details of some of those operations, including what was taken, how and where it was sent. The Lab Dookhtegan people were very angry at those who ran OilRig and Iranian intelligence personnel, calling them evil. It was easy for Internet security personnel to confirm the authenticity of what OilRig had done, how they did it and who they did it to. Due to the Lab Dookhtegan revelations OilRig was damaged but not destroyed as an APT. The personnel who run OilRig, even though their personal details were now public, could rebuild and create another APT. The Iranians have not commented publicly about Lab Dookhtegan or what it had done. In any event, OilRig was but one of dozens of APTs that the Iranian government has employed for Internet-based espionage and larceny. With the current revival of economic sanctions on Iran, the APTs employed will probably be doing more fundraising than intelligence gathering. The major benefit Iran can offer the APTs it employs is sanctuary. Most of these APT personnel are Iranian based, where they cannot be prosecuted. Lab Dookhtegan made life difficult for a lot of these Iranian hackers to travel outside Iran now that foreign police and intel agencies know who they are. That information also helped foreign investigators to connect the dots and identify other personnel working for Iranian APTs.

Hacking has gone pro since the late 1990s and, in addition to creating a new area for organized crime to operate in, these mercenary criminal hackers have become a major source of talent for nations seeking to create Cyber War weapons as major components of their military power. This evolution came into focus since the Internet and the World Wide Web became widely used and truly international after 2005. Within a decade researchers began to encounter more and more major APTs. These major malware operations were definitely Advanced Persistent Threats and lucrative enough to attract a lot of new talent. The attraction wasn’t always economic. Many proficient hackers did it because the found it satisfying work while others did it out of patriotism. Sometimes all of these motivations are combined, as when an unknown APT hacked the American NSA (American National Security Agency) and obtained some valuable NSA hacking tools. These were later sold via an Internet-based broker and used for economic attacks. One of these NSA tools was called EternalBlue and it used a ZDE (Zero Day Exploit) stockpiled by the NSA for possible Cyber War operations. This particular ZDE exploited a flaw in Windows network software allowing the EternalBlue program to quietly insert itself into other PCs on the same network as the PC infected (probably via a spearfishing attack) with an extortion app called WannaCry.

The Iranian APTs were interested in obtaining hacker tools but the Iranian government mainly wanted details of the military, economic and espionage capabilities of their neighbors. This use of APTs was one advantage Iran had against its enemies. Decades of sanctions had made it impossible for Iran to obtain modern weapons or technology in general. But via the APTs, they created or employed they could steal much of what they wanted.