Very Demure, Very Mindful Phishing
Welcome to Memetic Warfare.
I’m Ari, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io. I also provide training, consulting and research so if you have any specific needs - feel free to reach out on LinkedIn.
This week will, unsurprisingly, again be dedicated primarily to Iran due to the huge uptick in general Iranian IO and cyber activity. Don’t take it from me though! We had a comparatively rare (at this stage in the game) statement from the ODNI, FBI and CISA on Iranian “election influence efforts” from APT 42 - see below:
No question that so far Iran has turned out to be the spoiler for these elections. Will Russia be able to “chew gum and walk at the same time” as once said? I’m a bit more skeptical to be honest, but still too early to say. Like in anything in life, a little gumption and willpower makes even a comparatively less capable adversary, such as Iran, capable of things we wouldn’t have foreseen. Meta even provided some insight into the use of Whatsapp by APT 42.
It’s good to see CISA and the FBI getting more and more into foreign interference in the past months. Some of you may recall that the FBI stopped reporting foreign disinformation to tech companies/platforms following political pressure, only to resume in August of this year as per the NYT.
This may have something to do with the recent takedown of the Twitter of the pro-Palestine hacktivist group “Handala” by Twitter itself, as reported by the Record.
While utilizing Palestinian imagery, many - as stated by the Record - believe the group to be a front for Iranian activity.
Insomuch as their account was taken down shortly after the ODNI/FBI/CISA statement, could there have been some sort of information sharing or request there? Quite possibly.
Could it be coincidental as they posted hacked/stolen content? Also quite possible. Either way, they’re back with a verified backup Twitter account and are still actively posting hacked data from an Israeli company.
They’re also still active defacing Israeli sites - just googling Handala retrieves one still defaced victim site from presumably a while back:
The domain listed there has since been replaced, and they’ve of course remained active on Telegram. Maybe I’ll get around to looking at their activity sometime.
Those interested in seeing how the Israeli government tries to mitigate hack and leaks carried out by suspected fronts like Handala should check out Omer Benjakob’s article in Haaretz on the very topic. I’m quoted there also and occasionally collaborate with Omer, and if you’re interested in Israel/Iranian cyber/IO activity, follow him. We discuss also briefly a hack and leak with a gag order on it that I hope to eventually bring up here.
There’s other Iranian influence activity as well targeting Israel that recently came to light following an indictment, in the second case in past months (see in the article). A 30 year old Israeli from Ramat Gan was indicted for taking orders from an Iranian handler as reported by the Times of Israel:
Physical activity in the IO space is a hot topic this year, and this is another example of that being a key goal for Iranian operators. In this case, the Israeli asset, compensated via crypto, was told to hang posters in favor of a “military coup”, buy a burner phone and SIM card, alongside wig, gloves and hat to disguise himself, and promote a Telegram group to recruit more Israelis.
For those curious - see a screenshot of the group below in the original Hebrew:
Overall not terribly written in Hebrew but some weird phrasing and grammar that a native speaker wouldn’t use. Will the above trends turn into a recurring pattern? We’ll know more as times goes by.
We’ll conclude with one of the recent episodes of Risky Business. Risky Business routinely has some heavy hitters in the industry on to discuss cyber-enabled IO, and in this episode they have Chris Krebs and Alex Stamos on to discuss the above Iranian activity that we just reviewed.
Thanks for reading, and also for those curious, there may not be any posts in the coming week or two. If there isn’t a post next week, by mid September the blog will be back up and active.