On Wednesday, ZDNet reported that hacker with the online name Lab Dookhtegan leaked a set of hacking tools belonging to Iran’s espionage groups, often identified as the APT34, Oilrig, or HelixKitten, on Telegram. The leaks started somewhere in the mid-March, and included sensitive information, mostly consisting of usernames and passwords.
— Catalin Cimpanu (@campuscodi) April 17, 2019
ZDNet got aware of this hack when a Twitter user DMed them some of the same files that were leaked on Telegram. Though this Twitter user claimed to have worked on the group’s DNSpionage campaign, ZDNet believes that it is also possible that he is a member of a foreign intelligence agency trying to hide their real identity. ZDNet’s assumption is that the Twitter user could be the Telegram Lab Dookhtegan persona.
The hacker leaked the source code of six hacking tools: Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel, and Webmask. Many cyber-security experts including Chronicle, Alphabet’s cyber-security division, confirmed the authenticity of these tools.
Along with these tools, the hacker also leaked the content from several active backend panels, where victim data had been collected. Chronicle, Alphabet’s cyber-security division, confirmed to ZDNet that the hacker has leaked data of 66 victims, mainly from countries in the Middle East. This data was collected from both government agencies and private companies. The hacker also leaked data from APT34’s past operations, sharing the IP addresses and domains where the group hosted web shells and other operational data.
Besides leaking the data and source code of the hacking tools, the hacker also made public personal information of the Iranian Ministry of Intelligence officers who were involved with APT34 operations including phone numbers, images, and names.
The hacker admitted on the Telegram channel that he has destroyed the control panels of APT34’s hacking tools and wiped their servers clean. So, now the Iranian espionage group has no choice other than starting over. Going by the leaked documents, it seems that Dookhtegan also had some grudge against the Iranian Ministry of Intelligence, which he called “cruel,” “ruthless” and “criminal”.
Now, several cyber-security firms are analyzing the leaked data. In an email to ZDNet, Brandon Levene, Head of Applied Intelligence at Chronicle, said, “It’s likely this group will alter their toolset in order to maintain operational status. There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use.”
To know about this story in detail, visit ZDNet.