‘Islamic Cyber Resistance’ Breaks Iranian Hacker Silence, Exposes Links to SEA

The freeze on Iranian hacktivist activity during nuclear negotiations was broken last week although it doesn’t appear to be government sponsored. The Islamic Cyber Resistance (ICR), not yet discussed on this blog, retaliated against the December 4 assassination of a Hezbollah leader, Hassan Laqiss, by leaking documents  and sensitive information related to the Saudi Army, the Saudi Binladin Group, and the Israel Defense Forces.

Interestingly, the heretofore little known group with links to the Iranian hacker community claims to have previously conducted operations with the Syrian Electronic Army.

The ICR, whose activity is being touted on Iranian hacker forums and a document drop site, claims to have worked in tandem with the SEA earlier this year in hacks against Kuwaiti mobile operator Zain Group (August 10, 2013) and a NASA subdomain (June 22, 2013).

Based on the open source data available to us, it does not appear the ICR has tight operational coordination with other Iran-linked groups the Qassam Cyber Fighters, Parastoo, and the Iranian Cyber Army. Instead, the ICR has so far acted on a pro-Shia, anti-Saudi, and anti-Israel platform rather than a nationalistically driven, pro-Iran agenda.

What’s the Link to Iran?

Information security blogger Kryp3ia mentions the ICR’s links to Anonymous and the SEA in passing while also describing its unique ties to an Iran-based Wikileaks-style in a wide ranging blog post. We’ll seek to expand on his impressive work.

The Kryp3ia post comprehensively details the Wikileak.ir connection back to an IT professional in Tehran so we’ll focus on the Quickleak link. Below you can see the domain registration information for Quickleak.org, created December 5, 2012, includes an admin contact email of domain@zone-hc.com.

The admin contact Mohhamad Rad is also the  registrant of Zone-hc, an Iranian website defacement forum  modeled after Zone-H.

Both the Wikileak.ir website and Quickleak.org Twitter account should be considered valuable resources in monitoring and assessing risk from the ICR. It may even be reasonable to glean early warning of potential targets:

What’s the ICR’s History?

The group’s first information leak on February 25, 2013 contained contact information of Bahraini Military and Intelligence High-Ranked personnel and all High-Ranked United States military personnel located in “Fifth-Base” in Bahrain “in Support of people resistance in Bahrain”. A connection of note is how the data leak claimed a relationship: “‘Islamic Cyber Resistance’ and Wikileak.ir are releasing information…” The Fars News Agency also refers to Wikileaks.ir in the context of ICR as “its website.”

After the Bahrain information leak, the next time we find the phrase Cyber Resistance in this context is related to OpIsrael: a Facebook post by Anonymous Algeria (see below) and a tweet from @SyrianFortress (account now deleted) saying, “They call it ‘cyber terrorism’, but we call it CYBER-RESISTANCE BITCHES #Syria #Israel #Palestine #zionist #SEA #OpIsrael.”

Definitively linking ICR and the manager(s) of Anonymous Algeria’s Facebook feed or the @SyrianFortress Twitter account isn’t possible based on this information in the open source, but the appearance of this phrasing in both sources is notable. Hashtags used by @SyrianFortess linking the cyber resistance phrasing to the Syrian Electronic Army and tweets referencing both @Official_SEA12 and @SyrianFortress is additional evidence, and in our body of research, the earliest clues of ties between the pro-Assad group and the Islamic Cyber Resistance.

The ICR claims to have hacked a sub-domain of NASA during June 2013 and, as mentioned above, Kuwait mobile operator Zain Group during August 2013. Another hack was claimed during mid-October in a post on Quickleak announcing leaked information from Janes Defense.

Interestingly,  confidential information from Jane’s was procured and leaked earlier in the year by Iranian hacker group Parastoo . It’s possible the trivial biographical data leaked by ICR was captured during and recycled out of Parastoo’s infiltration of Jane’s.

Then, as with other Iranian hacker organizations, the ICR went dark around mid-October before re-emerging with these most recent hacks after the assassination of Hassan Laqiss.

Have Hacktivists Previously Retaliated for Hezbollah Targeting?

Only once. And even that Syrian Electronic Army hack related Hezbollah is one with dubious attribution: it remains unclear whether the SEA actually hit Israeli SCADA systems during May following Israeli strikes on a Hezbollah-bound missiles in Syria.

A group “Remember Emad” was part of the OpIsrael campaign on April 7, 2013, mentioned in an announcement by Parastoo as responsible for releasing data from Israeli universities related to aerospace, electronic, and nuclear-related studies. Remember Emad previously hacked an Israeli credit card company (August 2012); the namesake of their organization, Emad Mughniyeh, was killed in a car bomb blast in Damascus on February 12, 2008.

The ICR’s simultaneous action against both Israel and assets they link to Al-Qaeda is interesting given Laqiss’ assassination is being claimed by a Sunni militant group. While there are suspicions this was arranged by Israel, one wonders if the assassination wasn’t simply a convenient political narrative to leak IDF information.

How Does the Timing of ICR Attacks Track Other Hackers?

Past claims from high ranking US officials have linked the Syrian Electronic Army to the Iranian government. However, in the absence of hard evidence, the timing of attacks doesn’t suggest SEA coordination with the prominent Iranian hacker groups the Qassam Cyber Fighters, Parastoo, and Iranian Cyber Army.

Could the ICR consist of hackers that also belong to QCF, Parastoo, and ICA?

Possibly, but  the timing of attacks by ICR suggests independence from other Iran-linked groups  in the same way the lack of overlapping operations between those groups suggests coordination. For example:

• Parastoo leak IHS Jane’s documents on February 22, 2013 just days before the ICR announcement of stolen Bahrain documents on February 25, 2013.
• The NASA hack claimed by ICR is believed to have occurred during June 2013 just as the Iranian Cyber Army was fully focused on targeting political opposition.
• The hack claimed against the Zain Group during August occurred at the same time as QCF was carrying out the final act of its since shelved Operation Ababil.

In sum, several factors lead us to believe the Islamic Cyber Resistance is operating independent of the Iranian government and the QCF, Parastoo, and ICA.

First, the group is not targeting with the precision that reflects a state-driven operation. The Qassam Cyber Fighters targeted banks following international sanctions on Iran, Parastoo went after scientific and international organizations focused on the Iranian nuclear program,  and the ICA attacked domestic political dissidents.

Second, we previously found the Syrian Electronic Army not linked to those three Iran-based groups whereas we find multiple connections between the ICR and SEA in Twitter communication and propaganda. The ICR claimed collaboration with the SEA on Wikileak.ir while Quickleak.org reported the groups as partners; none of the other Iran-linked groups have announced partnerships while the Syrian Electronic Army has been known to partner with other hacktivists when it benefits their cause.

Also, several months after the ICR’s first claimed hack, themes of “cyber resistance” appeared on Twitter channels linked to the SEA. More recently, the SEA included multiple posts on its Facebook page calling out Saudi Arabia as imperialist and terrorist-backing with regards to the Syrian civil war.

Lastly, ICR activities overlap with QCF, Parastoo, or ICA operations, which suggests a lack of coordination. It’s been shown that the other three groups avoid stepping on each others’ toes and remain subdued as nuclear negotiations progress.