The Convenient Timing of Iran-Linked Hacker Operations

The Convenient Timing of Iran-Linked Hacker Operations

July 30, 2013 • Chris

We enjoy revealing patterns in cyber activity on this blog, as you might recall from our hacker workday research. And whether or not you believe the al-Qassam Cyber Fighters (QCF) are tied to the Iranian government, its ramping up phase 4 of Operation Ababil calls for a novel look at alleged associations with Tehran.

We decided to compare the timing of attacks carried out by three cyber organizations with self-proclaimed or alleged links to Iran: Iranian Cyber ArmyParastoo, and the al-Qassam Cyber Fighters. The Recorded Future timeline below displays these events from July 2010 to present (see the live visualization here, but be patient as the data fills in).

Iran Cyber Teams Attack Timeline

Click image for larger view.

The timing of attacks is remarkable. Activity attributed to the Iranian Cyber Army drops off at the end of July 2012, which was just two months prior to the emergence of QCF and its DDoS attacks on U.S. banks. From that point onwards, when one campaign tails off another begins.

During the first break in QCF’s Operation Ababil, another previously unknown hacker group Parastoo emerged with an attack on the International Atomic Energy Agency (IAEA). A similar burst of activity by Parastoo occurred during the downtime between phases 2 and 3 of Operation Ababil. And then as we noted on this blog, both QCF and Parastoo went dark prior to the Iranian Cyber Army resurfacing in time to disrupt political reform groups during Iran’s presidential campaign season.

Of course, our timeline only reflects open source intelligence available on these groups, and it’s begging for complementary technical evidence and linguistic analysis of communications (avian naming conventions aside). But these would be quite a coincidental bunch of events if the members of the Iranian Cyber Army, Parastoo, and the al-Qassam Cyber Fighters aren’t organizing their calendars together.

We’ll be watching closely to see how events proceed with Iranian Cyber Army once more going quiet and the al-Qassam Cyber Fighters gearing up for the 4th phase of Operation Ababil.

New call-to-action

Related Posts

How The Stadtwerke Klagenfurt Group Reduces Risk to Critical Infrastructure

How The Stadtwerke Klagenfurt Group Reduces Risk to Critical Infrastructure

November 17, 2020 • The Recorded Future Team

Key Takeaways The Stadtwerke Klagenfurt Group delivers essential municipal services,...

Security Intelligence Handbook Chapter 2: Examining Operational and Strategic Security Intelligence

Security Intelligence Handbook Chapter 2: Examining Operational and Strategic Security Intelligence

November 12, 2020 • The Recorded Future Team

Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of...

How Predict 2020 Disrupted the Status Quo

How Predict 2020 Disrupted the Status Quo

October 9, 2020 • The Recorded Future Team

While Predict 2020 looked a bit different this year, the world’s largest security intelligence...