Tuesday, February 9, 2016
Yaser Balaghi Leaves Calling Card After Hacking the IDF
Iranian hacker made grave error in hacking a former chief of staff of the Israeli Defense Force (IDF).
The hacker Tehran-based Yaser Balaghi (see photo above), later boasted of the hack, but he also accidentally left behind a digital calling card which let his identity be exposed.
His grave error caused Iran to stop the hacking operation which targeted 1800 people globally, including Israeli army generals, human rights activists in the Persian Gulf and scientists.
The cyber operation hacking group known as "Rocket Kitten" (linked with the Iranian Revolutionary Guards and identified in 2014), started the attack in November 2015, and targets received email messages aimed at sending spyware into their computers.
More than 25% of people targeted had opened the emails and without knowing downloaded spyware and allowed hackers to steal information from computers.
The cyber attacks originated from Iran against targets in Israel and the Middle East with Israeli generals among the targets.
The hackers used techniques including "targeted phishing" (where hackers use false web pages that look like real ones to get user identification data) and then hacked 40 targets in Israel and 500 across the world.
The Israeli targets included generals, employees of security consulting firms and academic researchers.
CheckPoint Software researchers revealed the identity of Balaghi when they found that Balaghi goes by the handle of "Wool3n.H4T".
Not only did Rocket Kitten hackers leave default passwords in place and allow password-less root access to their server management software but they infected their own C&C (Command & Control) server with their keylogger malware...but then left it in place #fail.
The CheckPoint researchers were then able to harvest the usernames and passwords of any accounts which the hackers had logged on to from their server.Oh dear...
In addition to allow password-less root access to any browsing visitor the hackers made many other basic mistakes including failing to hide a path to the server from where the attacks originated.
That provided clear evidence that the attacks originated in Iran #timeforanewjob
CheckPoint discovered Balaghi's (Wool3n.H4T) AOL account (AOL, really?!), YaserBalaghi@aol.com with his uber 7337 password of: 123456789 (double #fail). This took them to a Farsi resume which he had posted online to boast of hacking work which he had done for "a cyber-organization" presumably an Iranian security agency :)
The researchers found a database which lists the names of the members of the hacking crew (apparently real ones as they were typical Iranian first and family names #lol),
as well as links to web pages infected with their malware (which was also found on the server).
Additionally the database includes a list of nearly 2000 targets with their names, email addresses and other information, targeted since August 2014 when it appears that the currently used server was activated.
The investigators discovered in one of the false web pages that look like real ones the name of Yaser Balaghi who appears to be "Rocket Kitten" team leader, based on internal messages and emails. From there he is found easily with a quick Internet search (see below).
This is shameful example of bad Iranian OPSEC and completely undermines their otherwise arguable technical skills #awkward
Where's Yaser? Here!:
http://yaserbalaghi.com (His main site)
http://stackoverflow.com/users/5617165/yaser-balaghi
https://evilzone.org/profile/?u=15677
https://www.google.com/imgres?imgurl=http://cdn.timesofisrael.com/uploads/2015/11/Balaghi.jpg
http://www.bridgesforpeace.com/images/content/news/News_10Nov15_3_screenshot_Brians_article.jpg
Labels:
aol,
checkpoint,
IDF,
iran,
israeli defense force,
malware,
opsec,
persian gulf,
phishing,
rocket kitten,
spyware,
yaser balaghi
Subscribe to:
Posts (Atom)
-
Ashiyane Security Group (officially Ashiyane Information and Communication Technology Company) is one of the oldest cyber security group...
-
Web browsers generally allow users to send a "Do Not Track" signal that informs advertisers that the users do not want to be ...
-
Are Iranian hackers involved in using the " Mamba " ransomware (or possibly be behind the ransomware)? It seems unclear but an...
-
Duqu 2.0: ‘Almost Invisible’ Cyber Espionage Tool Targeted Russian Co., Linked to Iran Nuclear TalksA Russian cyber security company says that it has discovered a highly-technical, “almost invisible” cyber espionage tool that t...
-
Head of Iran Cyber Police (FATA) General Seyed Kamal Hadianfar asked for collective efforts by all world states to prevent the spread of...
-
Funeral reception of Mohammad Hussein Tajik News of the assassination of an Iranian Cyber manager has recently been released. Mohammad H...
-
Since my last post in October, there has been no confirmation of which group was behind the cyber-attack on Westminster, or the role of the ...
-
امروز صبح خبر ناراحتکننده ماجرای دکتر فرهاد میثمی را دیدم. این عکسی از کمپ نازی نیست. او صد در صد قهرمان ایرانیهاست. ما باید صدایش باشیم....