Iran and OSINT hunting for fun & profit.

Today, I’m going to go on a very basic hunting adventure. Every so often, I do stuff like this for “fun”.  There’s no deep takeaway here –– just some basic searching and the techniques involved.  Iran seems to be the hotness right now.  I keep seeing articles that they have launched a hacking offensive because of the missile attack carried out in Iraq against the Iranian General Qasem Soleimani. In my experience, statements like this are overblown and not necessarily accurate.  So let’s jump into Horizon® Monitor and take a look at the latest ZoneH artifacts to see if there has been an increase in defacements from Iranians. Over the last few days since the attack, we see a VERY slight increase (under double digit numbers) in the number of attacks.  There have been teams of pro-Palestine groups out there for years and I’m not including those in the numbers.  I’ve only specifically included the attacks that claim to be Iranian. Let’s dig into one of the attackers a bit and see what we can find.

I’m specifically picking this attacker because he’s been mentioned in a few publications as attacking specifically because of the strike.  I’ll show you in a few moments why that is misleading and how he’s a fairly basic script kiddie. Publications are saying his attacks are because of the missile strike, and this is why:

It appears the reason for the defacement is the death of Soleimani.  On the surface it looks this way, but in reality when we look at our data in AliasDB, we can see he’s been defacing sites for quite a while and there hasn’t been a big uptick in defacements from him compared to basically any other time in his history. Over the last few years, he’s taken credit directly for close to 400 defacements (This doesn’t include some sites where he’s been mentioned by other defacement teams).  Most of them are pro-Iranian, and it’s only very recently where he’s become so broken up over his “wonderful” leader. Let’s poke around a bit on his profiles in SocialNet:

Oh, how exciting! He’s got a few badges on PornHub and some amateur YouTube accounts.  He’s got an Instagram with a pretty decent number of followers on various social media platforms. We can see his friends as well as a location and a few other things of interest.

I’ve only spent a few minutes on this, but with this amount of information it’s becoming apparent that we could quickly build a network around him and determine who his real friends and family are.  I have a feeling we won’t find a powerful military group, but instead an insecure kid wearing makeup, watching porn, and writing a few scripts to deface a site here and there. This little field trip is brought to you by an overzealous hype machine. Remember, don’t believe the Iran hype. Some of their “Cyber attackers” are just kids. Happy hunting.