A new study from Recorded Future’s Insikt Group looks at the rise and fall of Ashiyane — Iran’s first and foremost security forum — and its figurehead, Behrooz Kamalian. Ashiyane was shut down in August 2018, and some of its former hacker members have migrated to other forums, notably the Persian Tools Forum and VBIran.ir.
According to Recorded Future’s researchers, Iran’s hacking scene is a complex mix of government-sponsored contractors. The most prominent feature in modern Iranian history is its tendency to employ proxies for extra-national activities; such as Hezbollah against Israel and Yemen rebels against Saudi Arabia. It follows that the obvious route for foreign cyber-attacks would also involve proxies in the form of contractors frequently drawn from the hacking forums, rather than directly employed military personnel (a route frequently used by China).
For many years, Ashiyane — formed out of the Ashiyane Digital Security Team founded and run by Behrooz Kamalian (sometimes known as the ‘father of Iranian hacking’) — was the foremost hacker forum.
“When asked about Ashiyane Digital Security Team’s possible involvement with Iranian state-sponsored efforts,” reports Insikt, “Behrooz has claimed that while Ashiyane Forum operates independently and spontaneously, they cooperate with Iranian military apparatuses in advising and improving security, and ‘have always operated in the framework of the goals of the state’.”
But the Iranian picture painted by Insikt is confused and confusing. This may partly be due to Iran’s late arrival to international hacking. Since the Stuxnet incident (2010), it is well known that the state has sought to improve its cyber capabilities; but the natural condition still responsive rather than proactive. In 2011, writes Insikt, “One member of the Ashiyane Digital Security Team participated in an IRGC-led [Iranian Revolutionary Guard Corps] distributed denial-of-service (DDoS) campaign against U.S. financial institutions in December 2011, lasting over 176 days.”
Similarly — and possibly with Russian cyber assistance — Iran is believed to have developed the original Shamoon wiper that it used against what it considers to be American interests in the area; that is the Saudi Aramco oil company.
Before Stuxnet, it appears that the greater part of Iranian hacking revolved around web defacements and religious propaganda. However, in 2009, the Iranian government issued a directive to blacklist all hacking sites — probably in response to the Iranian Green Movement (which at the time prompted fears or hopes of an ‘Iranian Spring’).
Behrooz Kamalian seems to have deep ties with the Iranian government. “Ashiyane Forum was one of the only hacking forums that remained,” writes Insikt, “and according to Insikt Group’s source, the Iranian hacking community speculated that Kamalian essentially struck a sole-source deal with the Iranian government. Ashiyane Forum had become the primary forum connecting to the new generation of Iranian hackers.”
It was Stuxnet, one year later, that seems to have re-ignited government tolerance of private hackers. Throughout the post-Stuxnet period, the Iranian government has tolerated the hacking expeditions of the hacker forums, especially where they align with the national interests, culture and religion of the country — and Ashiyane was the primary forum and primary source of private hackers.
Over the last decade, Ashiyane grew to a total of around 20,000 active users. Insikt’s analysis over this period suggests that the greater part of the content of the forum focused on web exploitation. “Cross-site scripting, DDoS attacks, SQL, and other browser-based code injections have been the primary subjects since the forumís inception,” it writes. Over the last four years, Android exploits have been included, mirroring the growth of Android devices from 26% of the device market in 2014 to 37% in 2015.
The top hacker tools advertised on the forum in 2015 included Android RATs (AndroRAT and Dendroid RAT), and the Citroni ransomware. In 2016, emphasis shifted to exploits for consumer electronics, Android devices (including DroidJack), PC trojan njRAT, and USB malware. “PoisonTap became popular, as did questions about DDoS and SQL injection attacks,” writes Insikt. In 2017, queries on Linux products and enterprise content management were added to the mix. This is the stuff of standard hacker forums, probably indicating a consistent stream of new members registering.
But it is after this that the history suddenly gets confused. On March 12, 2018, the official Ashiyane Digital Security Team channel stated that the Iranian court had ordered them to shut down all their activities until further notice. Insikt speculates that the forum was engaged in operating illegal gambling websites — an offense punishable by death or life imprisonment. In 2013, a leak of a portion of the Ashiyane database did indeed indicate a link to online gambling.
The Ashiyane Forum suddenly disappeared on August 5, 2018. There was no explanation. It has been suggested that Kamalian had been arrested and imprisoned. This may be true, but if so, he had been released by early November. On November 8 he posted an Instagram video where an Iranian actor thanked him for regaining access to his compromised Instagram account. Kamalian seems to be rebuilding his position as a whitehat hacker helping celebrities.
It is difficult to believe that the closure of Ashiyane and the rebranding of Kamalian indicate a withdrawal from international cyber activity by Iran. Nevertheless, something seems to be happening. Insikt’s Levi Gundert — a former special agent for the Secret Service and FBI and now vice president of intelligence and risk at Recorded Future — told SecurityWeek that it is possible that Kamalian could still be engaged in more nefarious activities under a different name; and that if so, it is possible that western intelligence will sooner or later recognize him. In the meantime, Insikt hasn’t observed the emergence of any central figure with the same level of notoriety.
Concurrent with this, a high-profile example of Iranian activity is the recent U.S. indictment of two Iranian citizens for operating the SamSam ransomware. This is interesting because SamSam seems to be pure criminal profit-driven activity rather than the typical retaliatory official response to events. If government-sponsored it could possibly be in retaliation for President Trump’s withdrawal from the Iran Nuclear Agreement, but there is no clear linkage.
Noticeably, neither of the indicted Iranians appear in Dancho Danchev’s publication today of ‘Iran’s Most Wanted Cybercriminals’. Gundert simply told SecurityWeek, “We cannot currently comment on Iranian government affiliations between Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri.”
Related: Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide
Related: Iran Hackers Hunt Nuke Workers, US Officials
Related: Iran-Linked Espionage Group Continues Attacks on Middle East
Related: Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs