U.S. Department of Justice brought charges in absentia to three Iranian citizens who are suspected of hacking companies in the aerospace and satellite sectors. One of the alleged hackers was previously considered a white hat specialist.
According to the prosecutor's office, Said Pourkarim Arabi, Mohammad Reza Espargham and Mohammad Bayati have worked for the Iranian government for many years and have organized hacking campaigns since 2015. Their attacks targeted a wide variety of companies and organizations, both in the United States and around the world, from where hackers stole commercial information and intellectual property.
According to the published judicial documentsThe defendants created fake online profiles and e-mails to impersonate other people. Typically, they assigned the identities of US citizens working in the satellite and aerospace sectors. Then, using these fake identities, the hackers contacted people working in targeted organizations by mail and tried to force their victims to click on the malicious link.
Investigators report that the hackers selected their targets from an extensive list of approximately 1,800 individuals associated with aerospace and satellite companies, as well as government organizations in countries such as Australia, Israel, Singapore, the United States and the United Kingdom.
If the victim fell for the bait of cybercriminals, and malware entered their system, then the hackers used tools such as Metasploit, Mimikatz, NanoCore and the Python backdoor to detect valuable data on compromised devices and gain a foothold in the system.
According to the American authorities, the group was led by 34-year-old Said Purkarim Arabi, who was a member of the Islamic Revolutionary Guard Corps (IRGC). Arabi reportedly lived in an IRGC-owned home, and in his 2015 resume he listed his past hacks, which included attacks on companies in the United States and the United Kingdom.
The second member of the group was allegedly Mohammad Reza Ispargam, who is known as a white hat information security specialist and a member of the OWASP Foundation (1, 2). In particular, he has a lot of vulnerabilities discovered in bug bounty programs. For example, it was he who found a vulnerability in WinRAR that allowed executing arbitrary code on the victim's computer. However, according to the investigation, Ispargam lived a double life and was a black hat. He was allegedly known online under pseudonyms such as Reza Darkcoder and MRSCO, and was the leader of the Iranian hack group Dark Coders Team, which specializes in hacking sites.
It is reported that Arabi and Ispargam started working together when aerospace and satellite companies became the main targets of hackers. For example, Ispargam provided Arabi with malware for attacks, helped with hacks, and developed a tool called VBScan that scanned the vBulletin forums for vulnerabilities. Later, Ispargam opened the source code for this tool and even actively promoted it on his Twitter.
The third member of this group, Mohammad Bayati, played about the same role as Ispargam, that is, provided "colleagues" with malware for attacks.
Currently, all three defendants remain at large in Iran, but their names added to the list the FBI's most wanted cybercriminals.