Mahan Air Cyberattack - Exposing dirty secrets of IRGC QF and Further Technical Analysis

Hello friends 🙏 As I promised I continued my research on Mahan Air cyber attack and collected technical analysis for all of you.

It turned out that the hacker group responsible for this cyberattack Hooshyarane Vatan had succeeded in accessing Mahan air systems due to the fact that all sensitive information was not encrypted. It was also revealed that Mahan Airs IT department had actually identified the hackers on the network and had not yet been able to remove them. How bad are the security measures in Mahan Air ???? 😳😳

Hacktivist group responsible for Mahan Air Hack - Hooshyarane Vatan

The first revelation that came out of this cyber attack was evidence that multiple passengers called MR Hamrah Hamrah had boarded flights more than 70000 times on Iranian flights to Syria !! All are booked using the same travel agency called Utab Gasht. Utab Gasht seems to be a legitimate company but it turned out that they regularly transfer funds to a company called Hamrah or Hamrah SYR. Hamrah Company was rarely mentioned by Mahan Air employees, but a number of employees accidently leaked this information and wrote letters to the esteemed CEO of the company Mr. Golparast. Mr. Golparast is an exposed officer of the IRGC and the owner of Qeshm Fars Company which is a front for IRGC!! Mahan air is making dirty deals with IRGC officers !! Incredible! 🤯🤯

Leaked Letter 

Further analysis of this cyber attack also reveals numerous receipts for charter flights fully booked by the Hamrah company along with hundreds of illegal passengers traveling between Tehran, Damascus and Beruit. This evidence as well as further evidence indicating that passenger load exceeds limits over hundreds of kilograms shows that Mahan Air is actively facilitating the IRGCs QF activities and arms deals in Syria and Hezbollah in Lebanon. There is also a big difference with passengers who board flights and who are registered in the flight system. More than 400 passengers are lost every month under this name. Who knows what other dangerous personnel and cargo the Islamic Revolutionary Guard Corps carries on these flights alongside innocent civilians on flights? Absolutely embarrassing!! 😡

Leaked Invoice for hidden chartered flights 

It was also revealed that all these flights are booked with only 15 phone numbers and also certain people with special privilege are mentioned to board Mahan Air flights. Most likely these are QF IRGC officials. These are listed below:

Phone Numbers and Names used for IRGC QF flight bookings at Mahan Air 

After the technical analysis of this cyber attack it is revealed that Mahan Air has sold its soul to the IRGC and QF. How can Mahan Air do this to the Iranian people? A catastrophe could easily have happened when all these covert and evil deals and trips were completed. The Hamrah company are accompanying Utab Gasht and Qeshm Fars as front companies of the IRGC and its sinister motives and Mahan Air is in bed with them. disgusting! Friends, please do not travel with this airline anymore 🙏🙏

Mahan Air Suffers From Cyberattack

It has been reported that Iran airline Mahan Air has be hit by cyberattack. According to news agencies Mahan Air customers received text messages from the hackers who are calling themselves Hooshyarane-Vatan. Mahan Air website was also down during the attack.

I have been following recent cyber attacks against Iranian infrastructure including the fuel hack a few weeks ago and hack on the railway which disrupted departure boards. What is interesting is that these attacks appear to be happening within Iran. The train hack for example was perpetrated by Indra hacking group which experts believe to have been a small hacking group.

The hackers claiming responsibility for this cyber attack claim to be a group acting in response to government abuses of people of Ahvaz and complaints include water misuse, poisoning of livestock and torture of people. Water misuse is a big issue and in fact there are many protests happening at the moment across Iran so this is a big issue.

Hackers are claiming that Mahan Air risk passengers lives by transporting IRGC weapons on their flights. How easy would it be for an accident to happen when transporting such dangerous weapons which we can only speculate about? It has been reported that long ago the US made this accusation however if the hackers are correct it appears to still be happening.

According to Mahan Air the attack has not affected flight schedule and they have thwarted the attack. Mahan Air said they are used to such attacks and have therefore prevented the attack.  However Hooshyarane-Vatan continued to post on Twitter and Telegram yesterday after Mahan made their announcement.

I will be continuing looking into this today and tomorrow as it is very interesting to me. The hackers have put many documents online about Mahan Air and time will tell what the fall out of this attack will be.

Funny picture posted by @hooshyaran1

Lyceum is back! Targeting ISPs and other strategic targets 😡

Reports this week indicate that the notorious Iranian hacker group Lyceum has returned to chaos and this time mainly attacking Internet service providers and telecom companies in Morocco, Saudi Arabia, Israel and other companies in the wider Middle East including the African Ministry of foreign Affairs

The Lyceum group which was first discovered in 2017 and also known as Hexene has been identified as responsible for a number of cyberattacks in July and October 2021 according to information from Accenture Cyber ​​Threat (ACTI) and Prevailion's Adversarial counterintelligence groups (PACT). The main focus of the Lyceum Group is the implementation of computer network penetration events on a number of strategic target that are appropriate for the Iranian regime. It also now appears that they are expanding their reach to other targets even including places that are friendly to the Iran such as Tunisia.

                        Lyceum: Puppets of Regime!   

The hacker group appears to have stop used its famous Danbot .NET scripts and Powershell scripts to gain unauthorized access to the systems, and is now using a number of new technical techniques to do its evil work. Like the Base64-encoded Powershell scripts and new backdoors written in C++ which are new types of malware called James and Kevin. The group also relies on DNS tunneling which is an intrusion method for using DNS as a secret communication channel which is allowing the group to execute HTTP (S) commands using malicious C2 functionality. More scrutiny of source code also shows that Lyceum is also upgrading its backdoors to stay ahead of defense systems.

Lyceum is evil and guilty perpetrators of Iranian regime and seems to have continue committing ugly acts against other countries in the region regardless of whether they are friends or not. Please friends protect yourself against these types of attacks 🙏 by monitoring DNS traffic and being aware of suspicious domains and report them to threat information platforms.

Will this regime ever stop committing ugly acts in the region?? 😡😡

#cybercrime #cybersecurity #cybercrime #NET #Powershell #cyber #attack #C++ #HTTP #HTTPS #Morocco #SaudiArabia #Tunisa #Israel #Iran #IranianRegime #corrupt #evil   

Who is DEV-0343??

It has been reported by the Microsoft Intelligence center that malicious password spray attacks which first occurred in July have been attributed to Iranian cybercriminals codenamed DEV-0343, according to the Microsoft Information center.

The term password spray usually refers to a brutal attack in which a cybercriminal uses the same password on multiple accounts, with the goal of locking the account with repeated attempts to gain unauthorized access.

DEV-0343 seeks to target more than 250 Office 365 tenants associated with US, Israeli and EU defense companies, as well as ports and shipping companies in the Persian Gulf. However less than 20 tenants have been successfully hacked.

DEV-0343 

These attacks were simulated by DEV-0343 using an emulated Firefox browser and rotated through IPs hosted on a TOR proxy network. This attempt to remain anonymous did not work, because after analyzing the lifestyle and geographical targeting of known Iranian cybercriminals, it became clear that this was the work of this vicious and intrusive regime. At 7:30 a.m. and 8:30 p.m. Iranian time the group targets hundreds of accounts at a time, praying for just one account for weak cyber security measures.

Friends please protect yourself from this criminal group 🙏. Enable 2FA authentication on all your accounts, block all incoming traffic from anonymous services, and make sure all of your Microsoft Exchange access policies are up to date.

When will this regime stop interfering with the rest of the world while the Iranian people are starving? While Internet blackouts occur regularly? How can the Iranian government continue to claim its lack of money while supporting criminal acts like this? 😡

Follow me on Twitter and Instagram: @_0x7c3

#cybercrime #cybersecurity #cybercrime #DEV0343 #PasswordSpray #cyber #attack #Office365 #Microsoft  

Iranian fuel station hack and retaliation

Last week fuel stations across Iran was brought to a halt when a    cyberattack targeted the petrol systems, which affected fuel pumps    across the country and causing huge vehicle backlogs.

Videos on social media showed long waits for fuel and street signs that appeared to have been hacked, showing message "Khamenei where is our gasoline?" as the attack last for a very long number of hours.

Hacked billboard showing the message 

"Khamenei where is our gasoline?" 

The attack happened close to the anniversary of the fuel price hike in November 2 years ago which led to widespread street protests which of course where violently put down by the Iranian Government and IRGC. 

A group called "Predatory Sparrow" took responsibility for the attack with a statement that said "the hack was a response to the cyber actions by Tehran's terrorist regime against the people in the region and around the world"

The Iran government responded as usual by blaming Israel and now another mysterious group called "Black Shadow" has now hacked into Israel internet provider Cyberserve, and have started to leak sensitive patient data of over 300k people, as well as leaking data of users of the LGBT dating site Atraf. 

Will we ever know who caused the fuel cyberattack? Maybe not but the one thing that is clear to me is that the regime cannot keep its own people safe even at home. Is this another sign the Iranian state is losing its hold on security? Let me know in the comments friends 🙏