NCRI - Top cyber security researchers at ClearSky Cyber Security believe that they have linked three hackers, including the man who allegedly hacked into HBO and extorted them for millions of dollars, to the Iranian advanced persistent threat group Charming Kitten.
A recent report from the cyber security firm, details intelligence about Charming Kitten and notes that one of its key members is Iranian national Behzad Mesri (aka Skote Vahshat), who has been indicted in the US for the HBO hack, data theft including unaired episodes of network shows, ransom demands, and the leaking of content to the internet.
Charming Kitten, like many hacking networks within Iran, is actually instructed by the Regime to target people who oppose the Regime (i.e. academic scholars, human rights activists, journalists, and dissidents or exiles) and gain unauthorised access to their personal email and Facebook accounts. This is part of the Regime’s so-called Cyber Army.
Of course, the ClearSky report is more cautious but the links are undeniable.
Mesri is a former employee of the Iranian government who once worked with the Turk Black Hat hacker group. The Iranian Regime doesn’t just let skilled hackers leave their employ to private hack into massive foreign companies and extort them.
It is obvious that the Regime ordered this attack and had HBO paid up, then the Regime would have benefitted financially and that ransom demand would have supported terrorism.
Another member of the Charming Kitten hacker group identified in the report is a 29-year-old Iranian known only by their screenname: ArYaIeIrAN.
ArYaIeIrAN was also a member of the Turk Black Hat group and one website attacked by the hacking group cites both ArYaIeIrAN and Mesri, suggesting they knew each other.
ClearSky identified ArYaIeIrAN as a member through their email address, which appears in the SOA (Start of Authority) record of multiple domains used by Charming Kittens which used persiandns[.]net as their NS (name server).
According to ClearSky: “[ArYaIeIrAN] registered persiandns[.]Net, potentially indicating that he is the administrator of the services and an employee in the company.”
They also managed to identify CEO Mohammad Rasoul Akbari (aka ra3ou1) as a member because of the persiandns redirects to mahanserver[.]ir, which is run by Akbari, a Facebook friend of Mesri.
ClearSky assessed that these three, along with many others, are directly involved with Charming Kitten's operations and constitute a security threat.
Some of their previous hacking exploits involve a backdoor/downloader trojan called DownPaper, which they use to conduct cyber espionage against international targets and creating a fake British news agency to infect specifically whitelisted visitors with a web browser-based penetration testing tool.
Security researcher Collin Anderson of the website "Iran Threats" is credited in the role for his initial suggestions that Mesri was involved with Charming Kitten.