The Washington Post interviewed a number of cybersecurity experts last week who told it the leaks of a treasure trove of Saudi diplomatic documents bears all the hallmarks of Iranian hackers.
The first 70,000 of a half-million stolen documents were released on the Internet last week by WikiLeaks.
At the same time, the Fars news agency in Iran, which is linked to the Pasdaran (Revolution Guards), began running stories based on the documents. Fars said it and WikiLeaks were both given the documents by the “Yemen Cyber Army,” a group never heard from before. (See last week’s Iran Times, page two.)
“These events fit a pattern that looks and smells like Iranian-proxy actors,” said Jen Weedon, manager of threat intelligence at FireEye, a California-based firm specializing in cybersecurity. Although more information is needed to confirm the source of the attacks, she told the Post, the incident “definitely resembles past activity that we’ve seen by Iranian groups.”
Abdullah al-Ali, who heads Cyberkov, a Kuwait-based cybersecurity firm, said the Saudi government has already identified Iranian hackers as the source of the Foreign Ministry breach, which he said started last summer.
He referred to a Saudi cable released by WikiLeaks that shows e-mails among ministry employees discussing an international cyberattack dubbed Operation Cleaver, which began targeting the ministry on July 14, 2014. In the cable, dated Feb. 15, 2015, the employees cite an internal investigation that identifies “Iranian Actors” as part of the attack, which used a phishing technique to infect computers with data-extracting malware.
The US cybersecurity firm Cylance said in a report last year that Iranian hackers carried out Operation Cleaver, which it said targeted 16 countries, including the United States, and affected dozens of government entities and companies involved in transportation, medical and energy services.
A report released Friday by Recorded Future, a firm based in Massachusetts and Sweden that specializes in predictive analytics, describes similarities between Iranian-linked hackers and the Yemen Cyber Army, which claimed responsibility for the Saudi Foreign Ministry hack. The group, not previously known, said the move was retaliation for the Saudi-led attacks in Yemen.
Among the indicators of the source of the cyberattack, the report notes, is that the Yemen Cyber Army uses an Iran-based file-sharing site, QuickLeak.ir, to dump stolen documents. That site is rarely used by typical so-called hacktivist groups but has been used by the Iranian-linked group Parastoo.
Recorded Future also notes the group’s “close coordination” with Iranian media, pointing out that Fars was the first to report the Yemen Cyber Army claim. Recorded Future commented: “The news outlet quickly emerges as the [Yemen Cyber Army’s] mouthpiece.”