Hacking with the Star(link)s
Welcome to Memetic Warfare.
This week we’ll check in on Iranian cyber-enabled IO, starting off with Handala.
What’s interesting about Handala is that they’ve structured their activity into several campaigns, including “Handala Alert”, their new “media support” division. Essentially, moving from cyber-enabled influence operations to operating more holistically and really trying to play up their successes following recent coverage in Israeli media.
They also will be working on “field action” and recruitment for presumably physical IO and espionage:
They also proudly list their mentions in international media, I’m a bit offended to not be listed here:
This is only one of Iran’s recent ventures. Another interesting one is “Toufan Leaks”. Toufan Leaks and Cyber Toufan has been around for a while, but they’ve recently rebranded their efforts as well to include a channel named “ILDefenseLeaks” touting some ASCII art, really putting their goals out there.
The new Toufan leaks website has managed to set up a Cloudflare proxy. Luckily, Censys easily finds the actual host:
The hosting provider is “1337 Services GMBH”, a reference to leet for those who don’t follow. The host is in Poland but the company is seemingly a German, self-described bulletproof hosting firm:
They proudly advertise themselves as such:
Just googling the company name shows that it is in fact registered:
Googling again the key principal’s name, or perhaps their previous bulletproof RDP site “rdp.sh”, finds that others, such as Krebs on Security, have written about the comapny and its alleged ties to cybercrime forums and activity:
So, the dynamic of Iranian operations using European bulletproof hosting firms remains consistent, and it’s kind of astounding how this sort of stuff remains apparently legal in the EU. Seems to me like the kind of thing the EU should focus on instead of say cookie acceptance buttons or the GDPR?
We’ll end with an interesting finding from CheckPoint: Handala uses Starlink to keep operating even when the internet is down in Iran. It’s fascinating to me how Iran can’t seem to manage their internet effectively enough to let their own threat actors through at the scale needed.
That’s it for this week, thanks for reading.