Hierarchy of Hackers Exposed!
Insight into how IRGC Uses Contractors and Universities to Conduct its Cyber-espionage
Iran has been regularly blamed for responding to sanctions by conducting offensive cyber campaigns. Since 2009, Iran has been seen to use proxies or front organizations, both in physical conflict — Hezbollah against Israel and Yemen rebels against Saudi Arabia — and cyberattacks to achieve its goals.
History and Relationships Between Proxies
Iranian leaders established an intelligence and security organization, the Islamic Revolutionary Guard Corps (IRGC), “charged with defending the Republic against internal and external threats.”
IRGC is Iran’s premier security organization and possesses an army, navy, and air force, and has been linked to cyberattacks against Western institutions since 2011.
The emergence of the Iranian Cyber Army (ICA) as an extension of the IRGC was an initial attempt by Iran at conducting internationally focused operations. Its Khaybar Center has been linked to a number of attacks against the US, Saudi Arabia, and Turkey.
According to sources. they employ a tiered approach. Cyber tasks are then bid out to multiple contractors. The result: a quasi-capitalistic system that makes contractors work against each other for influence.
Today. it is estimated that there are over 50 organizations vying for government-sponsored offensive cyber projects. Only the best teams succeed, are paid, and remain in business.
Public knowledge has also established that Iranian academic institutions play a contractor-like role. Specific examples include Shahid Beheshti University (SBU) and the Imam Hossein University (IHU), which attract some of the best academic talent in Iran. In fact, the SBU has a specific cyberspace research institute dedicated to such matters, and the IHU was founded by the IRGC.
Relationship Between the Iranian Government, Contractors, and Security Forums
Cyber-Security firms like Clearsky, FireEye, Symantec, and PhishLabs have all performed significant research on Iranian nation-state-sponsored campaigns.
FireEye disclosed that the Nasr Institute was an APT 33 contractor in an operation that used publicly available backdoors and remote access trojans. The data wiping operation targeted sectors across Saudi Arabia and Europe.
Additional publicly known Iranian contractors include ITSecTeam (ITSEC) and Mersad Company, also linked to Operation Ababil.
Research suggests that Iranian security forums may play a role in staffing and knowledge sharing for Iranian contractors. FireEye referenced the publicly available ALFA TEaM Shell in APT33 spear phishing email campaigns. The ALFA Shell is discussed in multiple web locations, including Ashiyane and Iranian Dark Coders Team Forum.
Finally, according to sources, Iranian contractor ITSEC specifically employed hackers from the respective online forums Simorgh and Delta Security.
Further, Hossein Asgari, a self-proclaimed Iranian hacker, managed the Simorgh forum and worked with his father, who was employed by the IRGC.
