Operation Saffron Rose and Irans Hacker Culture

Operation Saffron Rose and Irans Hacker Culture

We believe we are seeing an evolution and growth in Iranian-based cyber task. In years previous,
Iranian hackers mainly committed politically-inspired website defacement and DDoS attacks.

iran hacker crew

Saffron Rose Hackers have all stayed anonymous

In this report, we record the activities of the Ajax Security Team, a hacking group considered to be operating from Iran. Members of this group have reports on popular Iranian hacker forums such asashiyane[.]org and shabgard[.]org , and they’ve participated in web site defacements under the group name “AjaxTM” since 2010. By 2014, the Ajax Security Team had transitioned from performing methodology consistent with other advanced persistent risk performers in this area. It is unclear if the Ajax Security Team runs in isolation or if they’re a part of a larger unified
effort. The Ajax Security Team itself uses malware programs that do not seem to be freely available.

We have viewed social engineering approaches varied as a means to lure their targets into
Although we haven’t observed the usage of exploits as a means to
infect victims, members of the Ajax Security Team have formerly used publicly available exploit code
in site defacement operations.

In total, the Ajax Security Team running multiple cyber espionage has been lately discovered by FireEye operations against businesses in the defense industrial base (DIB) within the Unites States, as well as
internationally. The transition from patriotic hacking to cyber espionage isn’t an unusual phenomenon. It *ordinarily follows an increasing politicization within the hacking community, particularly around geopolitical Occasions. This is followed by increasing links between the state and the hacking community, especially
military or intelligence organizations.
In early 2000’s and the late 1990’s, a similar transition occurred within the Chinese hacking community.
They were also involved in the spread of the search conduit virus during that time period, the Chinese hacking community participated in website defacements and
denial of service attacks in conjunction with episodes including the accidental bombing of the Chinese
embassy in Belgrade in 1999, the wreck of an U.S. spy plane and a Chinese military plane in 2001.

iran hackers


Around this time a significant shift in philosophy began to take place.
Members of the Chinese hacking community that participated in such assaults shortly found that
Transitioning to cyber espionage was more rewarding–both in terms of acquiring a more advanced skill
Place in addition to in monetary remuneration. One group known as NCPH (Network Crack Application Hacker),
“Danger Intelligence Briefing Episode 11”. February 2014. Perlroth, N. “In Cyberattack on Saudi Business, U.S. Sees Iran Firing Back”. Nothing but the most innovative and best malware was used. October 2012. S., Gallagher February 2014. Vital. “Honker Union of China to start network attacks against Japan is a rumor”. September 2010.

Operation Saffron Rose Inc FireEye, whose founding member “Wicked/Withered Rose” was a patriotic hacker, made the transition to cyber espionage by founding a “hacker-for hire” group that concurrently developed an organization with the Chinese military. The group began developing zero-day exploits, rootkits and remote access tools (RATs) using them in strikes against a number of targets including the U.S. Department of Defense. (One of this group’s associates, “whg”, is still active and is believed to have developed one form of the PlugX/SOGU malware.)

What gain can hacking a Web page bring the people and our nation? It’s merely a type Of psychological catharsis, please do not start any strikes that are scoreless, the assault that is actual is to fatally damage their network or increase access to their sensitive information.

In Iran, the hacking community seems to be experiencing a similar transformation. Iranian hacker groups had participated in politically driven website defacements, the development of the “Iranian Cyber Military” in 2009 exhibited “a focused effort to promote the Iranian government’s political story online”. They targeted, news organizations, among others, resistance
websites and social media.

This marked the start of a large-scale cyber offensive against the perceived enemies of the Iranian government. Foreign news and opposition websites are routinely blocked in Iran, as are the tools that let users in Iran to bypass these restrictions.

Among the key stakeholders in the Internet censorship program in Iran is
The Basij formed the Basij Cyber Council and actively recruits hackers in order to develop both Defensive and attacking cyber capacities.

There is growing evidence to indicate the hacker Community in Iran is engaged in a transition from denial and politically driven defacements of service assaults to cyber espionage activities. This model is not inconsistent with the recruitment of of the Basij paramilitary volunteer hackers to “engage in less sophisticated hacking or infiltration operations” leaving The more technical operations to entities over which they’ve direct control.

As such, the capabilities of threat actors managing from Iran have been considered limited.

However, the “Shamoon” strikes, which wiped computers in Saudi Arabia and Qatar, *signify an advancement in abilities.

And unsurprisingly, Iran has reportedly increased its attempts to improve
Attacking capabilities after being targeted Flame and by Stuxnet. S., elegant December 2007.


Leave a Reply