The US Department of Justice has filed charges in absentia against three Iranian hackers suspected of hacking into companies in aerospace and satellite sectors. One of the alleged hackers was previously considered a white hat specialist.
According to prosecutors, Said Pourkarim Arabi, Mohammad Reza Espargham and Mohammad Bayati have been working for the Iranian government for many years and have organized hacking campaigns since 2015.Their attacks targeted a wide variety of companies and organizations, both in the United States and around the world, from where hackers stole commercial information and intellectual property.
As a reminder, we also wrote that the Iranian hacker group Cobalt Dickens attacked over 60 universities around the world.
According to released court documents, the defendants created fake online profiles and e-mails to impersonate other people.
“Typically, they assigned the identity of US citizens working in the satellite and aerospace sectors. Then, using these fake identities, the hackers contacted people working in targeted organizations by mail and tried to force their victims to click on the malicious link”, – says the court documents.
Investigators report that the hackers selected their targets from an extensive list of approximately 1,800 people associated with aerospace and satellite companies, as well as government organizations in countries such as Australia, Israel, Singapore, the United States and the United Kingdom.
If the victim was caught by the cybercriminals, and malware got into their system, then the hackers used tools such as Metasploit, Mimikatz, NanoCore and the Python backdoor to find valuable data on compromised devices and gain a foothold in the system.
According to the US authorities, the group was led by 34-year-old Said Purkarim Arabi, who was a member of the Islamic Revolutionary Guard Corps (IRGC). Arabi reportedly lived in an IRGC-owned home, and in his 2015 resume he began his past hacks, which included attacks on companies in the US and UK.
The second member of the group was Mohammad Reza Ispargam, who is known as a white hat information security specialist and a member of the OWASP Foundation. In particular, he has a lot of vulnerabilities discovered in bug bounty programs. For example, he who found a vulnerability in WinRAR that allowed executing arbitrary code on the victim’s computer. However, the investigation found other facts in his biography.
“Ispargam lived a double life and was a black hat. He was allegedly known online under pseudonyms such as Reza Darkcoder and MRSCO and was the leader of the Iranian hack group Dark Coders Team, which specializes in hacking sites”, – says the documents of the investigation.
It is reported that Arabi and Ispargam started working together when aerospace and satellite companies became the main targets of hackers. For example, Ispargam provided Arabi with malware for attacks, helped with hacks, and developed a tool called VBScan that scanned the vBulletin forums for vulnerabilities. Later, Ispargam opened the source code for this tool and even actively promoted it on his Twitter.
The third member of this group, Mohammad Bayati, played about the same role as Ispargam, that is, provided “colleagues” with malware for attacks.
Currently, all three of the accused remain at large in Iran, but their names have joined the FBI’s most wanted list of cybercriminals.
Let me remind you that also the US Department of Homeland Security warned that Iranian hackers destroy data.