Iranian Hacker Bullies VP Joe Biden, Credibly Threaten to Commandeer US Drones, Leak IHS Jane’s CBRN Documents

Some absolutely shocking threats and claims have emerged from a fairly new hacking group on the scene. DefCon’s “y3ti” tipped us off to the group that calls themselves Parastoo that first emerged at the end of last year.  Their latest chilling release confirms their earlier claims with an incredible stash of sensitive intelligence that was announced on a series of Iranian activist sites and later found on world-wide filesharing sites. The bounty is big, the targets are bigger, and the list of items they have hacked is staggering. Among this data and the statements– nuclear intelligence, military information, satellite images, national infrastructure intelligence, and a thinly veiled threat on the vice-president of the United States Joe Biden.

The group’s first targets were the US Department of Energy (DOE) and the International Atomic Energy Agency (IAEA). Their aim is to leverage the release of information to  pressure the IAEA to investigate Israel’s nuclear operations. Following their initial demands, they released the personal information of many IAEA personnel including email addresses and confidential documents. They further released various satellite images, SafeGuard documents, and a several confidential files that were posted on Cryptome and Pastebin.  The IAEA of course is the same agency that is the nuclear watchdog monitoring Iran’s nuclear ambitions.  As recently as January, DOE servers were the target of attacks by the same group as a number of files were released and attributed to their exploits.

Threatening Vice President Joe Biden – Drone attacks on  US sites

There’s always threats -Iran itself threatens Israel and others regularly.  There is much cause for concern in some circles however in that the threats in the statements made here include the assassination of the Vice-President of the United States Joe Biden.

WHEN THE VICE PRESIDENT OF A COUNTRY
THREATS THE LEADER OF ANOTHER COUNTRY TO BE
“SERIOUS” FOR A TALK OR EVERYTHING IS ON THE
TABLE, DOES HE HAVE A CLUE HOW EASY IS TO
HUNT A DRONE AND .., SAY , HIT A SECRET
SERVICE CONVOY ?

DOES HE KNOW WHAT IS NOW AN EASY SPORT FOR
PARASTOO , ONCE HAPPENED TO SAYYED ABBAS
MOUSAVI BY IDF CHOPPERS ,ALTHOUGH A BIT
OLD FASHION WAY ? DOES HE KNOW HOW SERIOUS
IS BURNING ALIVE , WITH FAMILY?

DOES HE KNOW WHAT THE CONSEQUENCES ARE IF A
“HAWK” OR “EAGLE” SUDDENLY GOES ROUGE [sic] INTO AN EMBASSY , OR A SANDIA “MOX” HOLDING COMPOUND ,
OR A 20 ACRES WASTE SITE IN NEVADA BURIAL OF
MORE THAN 1000 TONES [sic] DOMESTIC AND IMPORTED
“SERIOUS” MATERIALS THAN EVEN STUPID NRC HAS
OBJECTIONS TO ITS 50 YEARS OLD SECURITY
HANDLED BY AN “EASY” PRIVATE COMPANY? WHAT
ABOUT A FACILITY IN AL-NAQAB DESERT?

The group even went so far as to suggest for some help or perhaps inspiration with the desired assassination of the Vice-President using the information they have released.

SO MAYBE A MAN WITH A PLAN OR A SOPHESTICATED [sic]
ORGANIZATION CAN USE THE DIRECTORY ,GOOGLE
AND PERHAPS SOME GOVT SECRET GOODNESS
IN RETURN OF AN OLD FAVOR OR TO GET REVENGE
OF A MUTUAL FRIEND’s ASSASSINATION ..TO GET
THE JOB DONE CHEAP , FAST , SAFE AND GREEN !

Drone-hacks may not have hit public awareness yet, but they are real. Keep in mind that Iran gained possession of an American drone under mysterious circumstances very recently, and there were even unconfirmed news reports of another drone being taken by them just a few days ago. Drone technology is a significant enough target for enemy states and has been demonstrably breached before through a number of weaknesses.  Recently released Iranian video showed images from the drone they were able to recover. It’s not an impossible feat for a determined technology force to reverse-engineer anything on the drone platform, including guidance and control systems.

These threats suggest taking control of drones and plowing them into 1000 tons of “Serious” materials at a Sandia MOX compound.  Sandia MOX is a project that collects weapons-grade plutonium and converts it into fuel for commercial reactors in fulfillment of a US-Russia nuclear arms reduction agreement.

If you look at it, the knowledge they initially claimed to have could actually be the kind of actionable intelligence that can hurt this country in some very vulnerable spots. The specter of the security threat includes financial, energy, transportation, and more.

IHS Jane’s hacked

The preceding threats were part of the group’s latest announced hack that targeted IHS Jane’s Group.  Jane’s Group is a defense and military intelligence publishing arm of IHS, a global information company with headquarters in Englewood, Co.  The most sensitive of documents released by the hackers include intelligence reports related to CBRN (Chemical, Biological, Radiological, and Nuclear), Weaponry, and Armed Forces. The documents have even been publicly posted in the directory mentioned in the statement with search capabilities and index on an SSL website http://quickleak.org 

The netblock for that site traces back registered to Ehsan Tatasadi out of Tehran.

[Editor’s Note: A word of caution – at least one of the released files was found to be ‘payloaded’ – meaning  tread lightly and if you open anything, make sure its  on a system that you do not particularly care much about (this should be something you do regularly anyways, subject for another day/time). -jc/mrh]

Parastoo’s message announcing the release suggests that their demands regarding investigation into Israel’s nuclear capabilities remains the same.

LETS SEE HOW A $1.3B BIZ, ACCORDING TO THEIR REPORT TO JPMORGAN, COLLAPSES , THEN CONTINUE
WITH PARASTOO’s DEMAND IN ITS FIRST PUBLIC MESSAGE.

A Trove of Intelligence Information

In their original statement Parastoo claimed to have accessed the following hacked information:

  • More than 450,000 Credit Card records and purchase histories belonging to IHS’s customers covering a 10-year period.
  • Identity information of roughly 800 individuals linked to the nuclear programs of 17 active countries.
  • The identification of 4500 companies who produce parts for nuclear programs and CBRN.
  • 11000 companies engaged in research, parts manufacture, parts sales, consultations, regulation, mining, sensitive material fabrication, waste processing, waste plants, CBRN detection and defense, and educational training.
  • Detailed information on roughly 3000 CBRN incidents dated 1999 – Jan 2013, some with valuable expert comments.
  • Geo-spatial intelligence on roughly 180 active CBRN facilities worldwide, with an estimated 100 facilities of government or military nature.
  • Global geo-data on decommissioned CBRN sites – some origins as canceled projects and some considered active threats.
  • Information on roughly 1900 hazardous products with CBRN roots and more than 300 companies selling detection and protection equipment.
  • Roughly 400 interviews with CBRN product and program-related individuals with ballistics, missile, chemistry hazard, bio-terrorism and nuclear knowledge.
  • Discovery of the IHS portal source code, and a laptop that had access to millions of medical records on U.S. citizens.

The IHS breach and released information seems to confirm a lot of what they initially reported to have. The scope within is vast and reaches into numerous topics including politics, elections, terrorism, official military data, energy industry, private security, airport data and transportation.

Hackers Said IHS hack – It Was EASY

- WE DID NOT MEET ANY CONSIDERABLE IT DEFENSE (emphasis mine)

The statement reports in detail how the attack completely compromised 22 servers hosted at Hosting.com which has its headquarters and main operations in Denver, CO.  They also detail how they were able to breach numerous technologies in their six-month long information-gathering efforts, boasting their prowess and having their way with such technologies as:

“ASP.NET, WEBAPP, JBOSS, SPARC SUN SERVERS, BIG IP LOAD-BALANCE, ENTERPRISE REDHAT LINUX SERVERS, WINDOWS 2003 SERVERS, WINDOWS 7 CLIENT USED BY INTERNZ”

Somehow, six long months passed and nobody noticed the worldwide movement of 14 TB of data within IHS’s own infrastructure.  AMAZING, yet sadly we see it repeatedly in significant breach reports.

14 TB , UNCOMPRESSED FORMATTED DOX ,DB
DUMPZ , DATABASE FILES NEEDED FOR FURTHER
ANALYSIS , AND LOGS.. WAS JUST TOO MUCH TO
MOVE . IN SHORT PARASTOO SPLIT DATA ON
VARIOUS PLACES INSIDE THE IHS’s OWN
INFRASTRUCTURE , HIDDEN IN PLAIN SIGHT DURING
THE OP SINCE WE HAVEN’T BEEN SURE YET THAT
SUCH CAREFULNESS WOULDN’T BE NEEDED AT ALL
AND LATER EACH PIECE TRANSFERRED TO BOUNCING
SERVERS , NONE BELONG TO US OR REGISTERED OR
BOUGHT BY ANYBODY INSIDE PARASTOO LOCATED IN
ISRAEL , GERMANY , CANADA , FRANCE , UKRAINE
AND ROMANIA , USING COSTUME PROTOCOL CODED AT
NIGHTS WHILE HAD TO HANDLE NONE-CYBER FACTORS
TO KEEP PARASTOO FLYING GETTING SHOT AT “IN
DAY LIFE”

Notably, the group also took to taunting Mandiant, the security group that was  recently all over the news for its direct identification of the Chinese military as a major source of cyber-espionage again the U.S.

WE OFFER MANDIANT GUYZ GET BUSY
INVENTING A FORMULA TO CALCULATE EXACT
MAN/HOUR AND COMPILE A REPORT ON POTENTIAL
CYBER-PHYSICAL ATTACK SCENARIOS TO HELP
PUBLIC LEARN HOW EVIL IS “USSR” AND CHINA

Limited Contact

From what we can tell, it appears at the moment the group is laying low, claiming to not have internet or social activities of any kind.  They have said what they wanted to say, and released what they wanted to release to date.  They have mainly communicated however with Wikileak.ir – an Iranian information publishing site that states the following guidelines

1.     Published information must not contain threatening contents to Iranian institutions, organizations and individual citizens around the world.

2.    Published information must not contain any blasphemy against recognized religions.

3.    Information with obscene content such as any adult related materials will not be published due to nature of this website, social and filtering issues.

The only form of contact they have is a fax number found in the original statement. You can bet that with threats of this kind that a number of three-letter agencies are out to locate this group to ask a few questions.

Analysis – A serious 9/11-style threat

Some weeks ago,  former US Secretary of Defense Leon Panetta said that we were in a “pre-9/11 moment”.  Though some scoffed at the alarmist tone, I am personally starting to believe this.

If all of this information is true, this has to be one of the most significant national intelligence compromises in history – because of its specificity, because of the parties behind the threats, and the confirmation of leaked sensitive data.  The threats were enacted in response to global events, particularly interested on the Middle East, Israel and Iran.

One of the most disturbing things if true, is that the hackers in this group were able to attack and collect information with ease and were utterly unchallenged.  The hackers stated time and time again they encountered almost no protection on the systems they breached and one some occasions, no antivirus protection, outdated insufficient systems and unsecured databases.  This makes for a grossly egregious lapse in fundamental security and we should all be shocked at the ramifications of such sloppy protection.  There is just no reason for that kind of information to be put at risk by such a lack of even standard security – whether it was financial constraints, staff, knowledge gaps, whatever – if you can’t secure it don’t put it online.   IHS’s trademark is “The Source for Critical Information and Insight” – well, it certainly seems that way except that information and insight is in the wrong hands now.

At any rate, a good deal of sensitive information was leaked here and of course it is now seen all over the world.  The genie is out of the bottle.  Enemy or rival states – whatever you want to call them are surely analyzing this intelligence at this point.  Even more threatening is the fact that any number of rogue groups have collected this information as well.

Not only are waste sites threatened, but information on the national infrastructure, power plants, internet facilities, water facilities, highways, freight lines, ports – all of it has been exposed.  To the uneducated or dishonest, these may sound like encyclopedia or almanac materials, or even ‘publicly available information’ – but to a determined enemy it is actionable military intelligence. One significant strike alone could send the country into chaos and a frenetic state for weeks on end.

If you look at the constant raiding and targeting of this country’s most sensitive secrets over the last few years, the cyber-espionage being committed from China and other countries, it paints a very alarming picture. Cyber-defense and intelligence as an industry have to get better right away.

About John Casaretto

SiliconANGLE's CyberSecurity Editor - Have a story tip or feedback? Please reach out to me! Security is as critical as ever and our mission is to uncover those stories that will help our industry be more secure.