August 9, 2021: Iran appears to have been unsuccessful in avenging the January 2020 death of their chief of foreign wars commander, Quds Force general Qassem Soleimani via an American UAV missile strike. The mass media tends to track Iranian vengeance efforts in terms of direct attacks on Americans in Syria and Iraq, which so far have been unsuccessful. The situation is different in a less visible war, waged by Iranian hackers, where there have been some recent victories. Iran keeps these victories quiet because continued success depends on the victim not being aware they have been damaged and by whom.

The latest Iran win was due to the efforts of a hacker organization known as APT (Advanced Persistent Threat) 35. Internet security firms track these APT groups and use the APT label to identify those groups that have been around for a while, usually with the help of a national sponsor. APT35 is Iranian and often works for the Iranian IRGC (Islamic Revolutionary Guard Corps). Security firms are constantly looking for new APT campaigns and a recent find was APR35 using Facebook to establish dozens of fake recruiters of military personnel leaving the service and seeking civilian employment. APT35 uses the social engineering approach to entice military personnel looking for a lucrative civilian job to supply useful information on their current jobs or download apps that appear to help them in their job search but actually contain hidden malware (hacker software) that gives the hacker secret access to the user’s computer and possibly military networks. This APT35 campaign was detected by security firms and Facebook was alerted and began finding and cancelling hundreds of APT35 accounts used to operate this scam. Facebook is still looking and, for the moment, the APT35 campaign is damaged if not destroyed. For APT35 it still counts as a win because much damage has been done and Facebook and the Department of Defense are trying to measure the extent of the damage.

Avenging Soleimani was not the only reason for the Facebook campaign, which was expensive to create and sustain. While APT35 was compensated by Iran, their Facebook campaign was also payback for less visible (in the media) defeats APT35 has suffered since 2018, when the American government secretly authorized the CIA to engage in offensive Cyber War operations. This capability had long been sought and one reason why permission was finally granted was the increased defensive Cyber War capabilities Western companies had developed. This effort was market driven because the damage done via hacking Internet networks makes it more difficult to sell Internet based equipment and services.

One of the major developments of the last two decades has been the creation and growth of Internet security operations. Initially these were mainly firms that sold and supported their own Internet security software. Soon the major Internet companies got involved, again because it was good business. Hackers were seen as “agricultural pests” in the Internet based computing ecosystem. One after another Microsoft, Apple, IBM, Amazon and others got more involved in protecting their customers from hackers. These separate operations cooperated by sharing information, especially about hacking groups as well as the new tools and techniques hackers were using. The effectiveness of this cooperative effort enabled the CIA to make a case for offensive operations. There was now enough intelligence being obtained, which the U.S. government, the largest computer and network user in the world, had access to so that the CIA could realistically plan and carry out offensive operations.

While details of offensive operations are usually kept secret, the same is not the case with many defensive operations. That’s because information about hacker techniques and tools is best exploited by letting users know how they are vulnerable and how to avoid it or deal with the problem if they were a target..

One example of this came from the IBM X-Force IRIS (Incident Response and Intelligence Services) security team. One of the many hacking groups X-Force was aware of, an Iranian mercenary hacker cooperative called ITG18, had been hacked and 40 GB of hacker “how-to” videos were obtained. These videos were for upgrading the skills of Iranian hackers via the use of Bandicam, a video recorder that created annotated videos of activities on a video screen. These vids showed how hackers used their tools and revealed new uses or more effective use of current techniques.

ITG18 is mostly in it for the money, but the Bandicam videos showed that the victims were often military or government personnel who might have access to information that could be sold to any country interested in that sort of thing. The ITG18 hack also revealed many tools and techniques APT35 used and all Iranian hackers saw the American effort that publicized their tools as a direct attack that must be avenged.

X-Force gained much useful information from the Bandicam videos and passed on a lot of it to IBM customers and computer users in general. For example, the videos revealed some techniques that were not known while also revealing how effective some security techniques were. For example, banks and other Internet services have long urged their customers to use “second-factor authentication” when logging in. The second-factor is usually a four-digit security code sent to the users’ cell phone. Over the last year there had been several claims that second-factor schemes could be hacked, even though this took a lot of effort. The ITG18 videos revealed that hackers were advised to ignore accounts that used second-factor because it consumed so much time to hack and there were so many accounts available that did not use second-factor.