In a hack that is reminiscent of the famous 2016-2017 Shadow Brokers hack of the NSA, a mysterious entity known only as Lab Dookhtegan (“Read My Lips”) is now leaking the source code of the cyber-espionage tools of the Iranian hacker group APT34 (also known as OilRig). They are doing so via different online channels, including Telegram and public hacking forums. In addition, Lab Dookhtegan is releasing the names, addresses, photos and phone numbers of some members of the Iranian Ministry of Intelligence responsible for state-sponsored cyber attacks. The goal of the online data dump is to bring a halt to these cyber-espionage activities by exposing the tools and source code used by the Iranian hackers.
Who is exposing the Iranian hackers?
The big question, of course, is who is really behind the attacks that started on March 26. There have been a number of competing theories about who is exposing the Iranian hackers via the Telegram channel. The first theory is that a disgruntled member of APT34 is behind the hack, and is doing this to exact revenge on members of the Iranian Ministry of Intelligence. This would explain why all of the leaked tools thus far analyzed by cybersecurity researchers (including security firm Fire Eye) appear to be legitimate.
Another theory – and the most likely one – is that Lab Dookhtegan is a small group of Iranian hackers opposed to the current regime and looking to disrupt it as much as possible. By doxing Iranian cyber-intelligence officials, and by leaving behind messages encouraging others to join in the fight, they are hoping to set off a chain reaction of events, leading to the ultimate downfall of the current Iranian regime. For example, one message that Lab Dookhtegan sent was, “We hope that other Iranian citizens will act for exposing this regime’s real ugly face.” Another message left on a server belonging to the Iranian hackers was, “We destroyed this server and we will destroy you!”
And, finally, a third theory is that Lab Dookhtegan is actually a clever counter-intelligence operation launched by a foreign government. While Lab Dookhtegan appears to be Iranian in origin, it could just as easily be an Israeli counter-intelligence effort. Or, it could be an American counter-intelligence operation designed to bring about regime change – something that the Trump administration in the United States has been talking about for more than two years now. Remember – the famous Stuxnet virus that infiltrated Iran’s nuclear operational facilities around the time of the Iranian nuclear deal also was theorized to stem from Israeli or U.S. sources.
Implications of the mystery data dump
What is interesting about this “hack of the hackers” is that it appears to be an ongoing operation, and not a one-off event. In other words, Lab Dookhtegan has promised to continue dumping tools as well as the names, addresses, photos and personal information of the different Iranian hackers thought to be collaborating with the Iranian government as part of the cyber-espionage operations.
One big concern in the cybersecurity community is that some of the source code and hacker tools dumped by Lab Dookhtegan might be “recycled” and used by other hackers. After the Shadow Brokers exposed the hacking tools and approaches of the NSA, for example, some of those tools were re-purposed and re-weaponized. In fact, they are linked to the WannaCry and NotPetya cyber attacks that crippled the Internet.
For now, it looks like Lab Dookhtegan has been careful not to have a repeat of the Shadow Brokers scenario. In every case analyzed by cyber researchers, there appear to be missing pieces or elements (such as password credentials) that make the tools unusable. So, the good news is that tools once used by the Islamic Revolutionary Guard Corps or other Iranian military-intelligence units won’t wind up in the hands of non-state actors.
The specter of a broadening cyber war
The big picture, though, is that the world appears to be on the cusp of a major cyber war. Iranian hackers have been linked to cyber attacks and cyber-espionage campaigns not just in Iran’s neighboring countries in the Middle East, but also in Britain, Australia and the United States. Thus, it is not out of the realm of possibility that Britain, Australia and the U.S. might be launching their own offensive strikes against Iran.
More broadly, both China and Russia have also been involved in massive cyber-espionage campaigns, with many cyber security firms now believing that both nations have attempted to break into America’s power grid and tamper with the nation’s infrastructure. In the Middle East, Russia and Iran have worked together militarily, so it is quite possible that any cyber attack on Iran might somehow bring Russia into the fray as well.
If you look at the sheer breadth of victims of APT34, you can start to get a sense for just how broad any future cyber war is going to be. According to the data leak from Lab Dookhtegan, the “cruel managers” in the Iranian Ministry of Intelligence targeted businesses and government entities around the world: firms in Saudi Arabia (including Saudi Aramco), the National Security Agency of Bahrain, Abu Dhabi Airports, a South Korean gaming company and a Mexican government agency. All told, the cyber tools APT34 (OilRig) used were able to infiltrate at least 66 different entities or organizations.
By naming and shaming, dumping of tools and wiping of servers, a clear message has been delivered to state-sponsored Iranian #hackers.
Click to Tweet
So how will the “ruthless” Iranian Ministry of Intelligence respond? The conventional wisdom here is that the hacking group known as APT34 (OilRig) will need to suspend its operations for the foreseeable future, as it comes up with a whole new set of tools. Thus, the counter-hack, while effective for now, is really only a short-term solution. Hackers all over the world have shown that, when confronted with new cyber defenses, they are remarkably efficient at devising new approaches. It is literally an arms race, as “white hat” hackers race to keep up with “black hat” hackers. In this particular situation, Lab Dookhtegan are really “gray hat” hackers, because nobody knows their exact relationship to the Iranian hackers.
Offensive vs. defensive cyber capabilities
One thing is certain, though: this new leak and data dump of the APT34 Iranian hackers signals that offensive cyber capabilities may end up being a much more effective deterrent than defensive cyber capabilities. Lab Dookhtegan is taking a very aggressive approach by “naming and shaming” members of the Iranian intelligence authorities responsible for cyber-espionage. And, by wiping servers belonging to the Iranian intelligence authorities completely clean (and leaving behind vengeful messages), they are sending a very clear message to the Iranian hackers: This is only the beginning of what is possible if you do not cease operations immediately. At the end of the day, that might end up being the best deterrent possible.