Jump to content

Source code of Iranian cyber-espionage tools leaked on Telegram


The AchieVer

Recommended Posts

The AchieVer

Source code of Iranian cyber-espionage tools leaked on Telegram

APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month.

 
APT34 leak on Telegram

 

In an incident reminiscent of the Shadow Brokers leak that exposed the NSA's hacking tools, someone has now published similar hacking tools belonging to one of Iran's elite cyber-espionage units, known as APT34Oilrig, or HelixKitten.

 

The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless.

VICTIM DATA ALSO DUMPED ONLINE

The tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan pseudonym.

 

Besides hacking tools, Dookhtegan also published what appears to be data from some of APT34's hacked victims, mostly comprising of username and password combos that appear to have been collected through phishing pages.

 

ZDNet was previously aware of some of these tools and victim data after this reporter received a tip in mid-March. In a Twitter DM, a Twitter user shared some of the same files that were discovered today on Telegram, and we believe that this Twitter user is the Telegram Lab Dookhtegan persona.

APT34 Twitter

 

In our Twitter conversation, the leaker claimed to have worked on the group's DNSpionage campaign, but this should be taken with a grain of salt, as the leaker could very well be a member of a foreign intelligence agency trying to hide their real identity while giving more credence to the authenticity of Iran's hacking tools and operations.

AUTHENTICITY CONFIRMED

Several cyber-security experts have already confirmed the authenticity of these tools. Chronicle, Alphabet's cyber-security division, confirmed this to ZDNet earlier today.

In the Telegram channel discovered today, the hacker leaked the source code of six hacking tools, and the content from several active backend panels, where victim data had been collected.

 

Hacking tools:
- Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks names BondUpdater)
- PoisonFrog (older version of BondUpdater)
- HyperShell (web shell that Palo Alto Networks calls TwoFace)
- HighShell (another web shell)
- Fox Panel (phishing kit)
- Webmask (DNS tunneling, main tool behind DNSpionage)

 

Besides source code for the above tools, Dookhtegan also leaked on the Telegram channel data taken from victims that had been collected in some of APT34's backend command-and-control (C&C) servers.

APT34 victim data

 

In total, according to Chronicle, Dookhtegan leaked data from 66 victims, mainly from countries in the Middle East, but also Africa, East Asia, and Europe.

 

Data was taken from both government agencies, but also from private companies. The two biggest companies named on the Telegram channel are Etihad Airways and Emirates National Oil. A list of the victims (but without company/government agency names) is available here.

 

Data leaked from each victim varied, ranging from usernames and password combos to internal network servers info and user IPs.

 

Additionally, Dookhtegan also leaked data about past APT34 operations, listing the IP addresses and domains where the group had hosted web shells in the past, and other operational data.

APT34 web shells

 

Besides data on past operations, the leaker also doxxed Iranian Ministry of Intelligence officers, posting phone numbers, images, and names of officers involved with APT34 operations. For some officers, Dookhtegan created PDF files containing their names, roles, images, phone numbers, email addresses, and social media profiles.

APT34 doxx

 

It was clear from the detailed doxing packages that the leaker had a bone to pick with the Iranian Ministry of Intelligence officers, to which he referred many times as "cruel," "ruthless," and "criminal."

 

"We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them," Dookhtegan said in a Telegram message posted last week.

 

The leaker also posted screenshots on the Telegram channel alluding to destroying the control panels of APT34 hacking tools and wiping servers clean.

APT34 destroyed server

 

APT34 BIOS destroy

 

The data leaked on this Telegram channel is now under analysis by several cyber-security firms, ZDNet was told. It has also made its way on other file sharing sites, such as GitHub.

 

"It's likely this group will alter their toolset in order to maintain operational status," Brandon Levene, Head of Applied Intelligence at Chronicle, told ZDNet today in an email "There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use."

 

This is because the tools aren't sophisticated and aren't top-tier tools like the ones leaked in the Shadow Brokers' NSA leak. Nation-state or criminal groups who will reuse these tools will most likely do it as a smoke-screen or false flag, to mask their operations as APT34.

 

 

Source

Link to comment
Share on other sites


  • Replies 10
  • Views 805
  • Created
  • Last Reply

Look who's calling Iran cruel - it might be Saudis and Americans - who themselves are no innocent either and have blood of innocents on their own hands 😛

It might probably be the work of CIA or Saudi-intelligence (or petro-funded CIA contractors because the Saudis are not intelligent enough) 🤣

Link to comment
Share on other sites


2 hours ago, Ha91 said:

Look who's calling Iran cruel - it might be Saudis and Americans - who themselves are no innocent either and have blood of innocents on their own hands 😛

It might probably be the work of CIA or Saudi-intelligence (or petro-funded CIA contractors because the Saudis are not intelligent enough) 🤣

 

not americans nor "saudis". I'm most sure it's their hateful neighbours to the west. You know.. the ones that insist on regime change for their neighbours despite having a king who is deep in corruption

Link to comment
Share on other sites


why is it everyone thinks only others do the bad stuff in the world and that they are never guilty or not as guilty or only do so to defend from other cruel inhuman crimes perpetrated by others upon them so what they did is justified.NOTICE how this said everyone, not some, but everyone. Even when evidence to the contrary gets produced it  turns into false information put out by their  enemies to make them look bad, or simply denied or  the old stand by they did it first and did much worse so this is just payback to them but again, we still are totally innocent and it all them that does wrong not us...everyone plays this game the same.

Link to comment
Share on other sites


2 hours ago, dMog said:

why is it everyone thinks only others do the bad stuff in the world and that they are never guilty or not as guilty or only do so to defend from other cruel inhuman crimes perpetrated by others upon them so what they did is justified.NOTICE how this said everyone, not some, but everyone. Even when evidence to the contrary gets produced it  turns into false information put out by their  enemies to make them look bad, or simply denied or  the old stand by they did it first and did much worse so this is just payback to them but again, we still are totally innocent and it all them that does wrong not us...everyone plays this game the same.

 

exactly i totally agree with you. see how zionist regime and the U.S tries to cover up for any proofs and news about zionists doing whatever they want to other countries and people by telling everyone the information is falsified by enemies.

Link to comment
Share on other sites


you kind of missed my point TOTALLY  and unequivocally. but then again you kinda just proved it too. and with that, this post should be closed before we get bloodshed here too

 

Link to comment
Share on other sites


1 hour ago, dMog said:

you kind of missed my point TOTALLY  and unequivocally. but then again you kinda just proved it too. and with that, this post should be closed before we get bloodshed here too

 

But yet when the shadow  brokers  done it and  dumped it on the  USA the post were fine , because not all people from the USA  that visit message boards are  pro government trolls trying to make like there country do no wrong . All countries  have  Anti government people but in  certain counties they have to hide are the Governments will prosecute them .So mostly all you see is  pro government trolls from them countries online. It's never the news that gets a post closed it's the people in the post.

https://www.newsweek.com/iran-protests-government-control-internet-dissent-776318

https://en.wikipedia.org/wiki/2017–18_Iranian_protests

 

That why at this site were there a high risk of the post being closed i try to avoid posting news that may offend the  pro government trolls  from certain other countries because you will never hear the  other side of the story from there Anti government people because they afraid to speak to balance it out. What good is a one sided story? me and straycat debate all the time hes pro government  and i'm anti government  we hardly agree on any thing but we never cause post to get closed because were two sides of the story from the same country. 🤣

Link to comment
Share on other sites


6 hours ago, dMog said:

you kind of missed my point TOTALLY  and unequivocally. but then again you kinda just proved it too. and with that, this post should be closed before we get bloodshed here too

 

 

no you missed my point. you don't want to see the whole story, only half of it.

Link to comment
Share on other sites


whereas you ONLY ever point out the bad stuff from the usa all i said was that the USA i NOT the only bad player on the playground to which you sort of agreed but only to the extent of Israel being to ONLY other bad player you are reporting.. any so-called enemies of America and zion in your eyes are the only innocent people, never seen you say your heroes do wrong, you deny it ..in fact, all you say i that they never do wrong and when presented with evidence you do not like you tend to say it is not true or made up propaganda

Link to comment
Share on other sites


  • ADN locked this topic

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...