Anti-Israel Hackers Parastoo Prepare for OpIsrael Anniversary
February 4, 2014 • Chris
Anti-Israel hacker organization Parastoo last week announced its intention to join #OpIsrael2, also touted as OpIsrael Birthday, to commence in April. The group is targeting US, NATO, and ISAF engineering, military communications and technology resources.
This was Parastoo’s second public statement during January after several months of silence. However, those statements continue a pattern that suggests the group, which once rattled off a worrisome string of hacks against international energy organizations, is currently limited to PsyOps and riding the coattails of other hacktivists.
Security blogger John Casaretto has written extensively about Parastoo on SiliconAngle, and previously called out the group’s occasional lack of substance. We ask, after Parastoo’s initial successes during late 2012/early 2013, has the group been limited to unsubstantiated claims and self-proclaimed affiliation with OpIsrael actors?
We’ll use Recorded Future for cyber threat intelligence to analyze the timing of Parastoo’s activity. First, let’s get familiar with the group’s claims on Pastebin and Cryptome through the below timeline of digital and physical attacks claimed by Parastoo.
View the interactive timeline
The group’s first claimed data compromises of IAEA information (November 2012) were verified by the target. The subsequent attacks on DOE (January 2013) and Jane’s (February 2013) also appear to have been legitimate and resulted in the publishing of sensitive, if not top-secret, data.
Interestingly, the IHS breach reportedly actually occurred around the same time as the IAEA hack, but information was held until February 2013. The IHS Jane’s data was also posted to Quickleak, which we’ve profiled for its ties to Iran-linked hackers the Islamic Cyber Resistance.
Attribution then quickly gets fuzzy beginning with the Department of Energy breach, which CSO Magazine reported might be the work of Chinese hackers, not Parastoo.
Evaluating the Timing of Parastoo Claims
Parastoo often foreshadows events, but does so in a way that positions the group for opportunistically claiming responsibility. For example, in its announcement on February 22 of the Jane’s data dump, the group referenced the potential for damage from a hijacked drone. This was two weeks prior to the reported UAV sighting near JFK airport on March 5.
Parastoo referenced the drone sighting above New York City on March 8 a day after an anonymous source suggested the group could be responsible. It seems the group either wasn’t ready to take credit or it jumped at the chance to put their name next to a mysterious and unsolved security incident.
The group started referencing Geneva II in mid-2013 as an event around which they would release already captured sensitive information. The international meeting was ultimately delayed until January 2014; as we now know, Parastoo resurfaced during that time but without much of substance. More on that in a moment, particularly their claims of a physical attack on a PG&E substation in San Jose, California.
Verified Incidents Where Parastoo Claims Preceded Official Statements
IAEA Data Dump 1
Announced November 25, 2012 by Parastoo on Pastebin and Cryptome
Confirmed by IAEA on November 26
IAEA Data Dump 2
Announced November 29, 2012 by Parastoo on Cryptome
Confirmed by officials via Reuters on November 30
DOE Server Breach
Announced January 21, 2013 by Parastoo on Cryptome
Internal communication by Department of Energy made on February 1; confirmed by media on February 4
IHS Jane’s Server Breach
Announced February 22 by Parastoo on Cryptome
Confirmed by IHS to Washington Free Beacon with statement that server was compromised but no confidential information was lost and information posted by Parastoo was publicly available in various digital and physical formats.
Delay Emerges in Parastoo Claims Compared to Actual Events
After the IHS information drop last February, we observed a shift in Parastoo’s claims: the group becomes reactive to events. They started hijacking credit or co-opting campaigns carried out by anonymous or unknown parties in order to spread disinformation and fear to Israel and its allies. Read on for examples.
OpIsrael 2013 and OpIsrael Birthday 2014
The broader OpIsrael campaign described as revived at the beginning of this post has been ongoing since fall 2012, and a collective of hackers organized efforts to carry out attacks against multiple targets on April 7, 2013. Last year, Parastoo was not mentioned in an interview with An0nGhost by Hackers Post or in even earlier statements about the planned campaigned published on March 7.
Parastoo, while long referencing the broader online protest against Israel, only included the specific #OpIsrael April 7 operation in its statement of targets on March 9, 2013 two days after the campaign was made public.
For the planned operation during April 2014, An0nGhost announced its plans on December 29, 2013 for OpIsrael anniversary attacks to occur on April 7, 2014. Earlier rumors of the operation were spreading via Twitter on December 22; Parastoo only made its statement more than a month later about their intended participation and recommended targeting.
The group also describes a different data, April 4, rather than the April 7 date called for by An0nGhost and its affiliates. All of this suggests members of Parastoo aren’t closely coordinating with other hacktivist organizations participating in OpIsrael.
Claims of NNSA Breach
During May 2013, Parastoo made a statement distributing public information about the National Nuclear Security Administration (NNSA) while also claiming it had infiltrated secure systems. Nothing has yet come of those claims. Interestingly, NNSA had been breached before, which makes it an ideal candidate for making false claims of data exfiltration. Analysts, media, and the organization itself are challenged to recall and accurately portray what information was previously exposed.
Claims of Second Drone Hack
During early July 2013, Parastoo claims to have hijacked and controlled flight of a UAV over an uninhabited area of Maryland. The group suggested it would release details of this operation and technical spec of the RQ-170 during the Geneva II talks but thus far nothing has been seen. No reports could be verified of the drone supposedly owned by iDirect, but again, this is an opportunistic claims as the group likely will have seen drone activity in that state given the publicity around a crashed drone in June 2012.
Claims Support of Physical Attack on PG&E Substation
On April 16, 2013, vandals cut optic cords and damaged transformers at a PG&E substation near San Jose, California. Eight months after the incident, Parastoo claims to have supported the individuals responsible for that physical security breach. Their statement was made days after attention to the attack resurfaced.
We also recognize that hitting critical infrastructure has long been an intention of Parastoo based on a statement released at Cryptome criticizing the group for such targeting.
What Happens Next with Parastoo and OpIsrael Birthday
This evaluation of open source information from the web suggests that the anti-Israel, Iran-linked hacker group Parastoo hasn’t demonstrated much success of its own for quite some time. However, based on its recent statements, the group remains active and is seeking greater relevance.
Parastoo’s most recent communication claims it is developing a “secure” forum to be hosted at parastoo.ir. We’ll follow this development closely to see if the group gains more sophistication and ammunition for once again conducting successfully disruptive operations after the launching its own communication channel.
Recorded Future’s web intelligence for cyber threat intelligence is structured to enable analysts efficient monitoring and analysis for operations such as the upcoming OpIsrael Birthday. Here’s a live feed of the latest to emerge on that operation.
We’re also prepared to monitor developments related to Parastoo to evaluate whether its current pattern continues in claiming attacks, and likely misrepresenting themselves as the perpetrator, or if new threat capabilities emerge as the group launches its own community space. Reach out to us if you’re interested in setting up your own threat intelligence alerts related to Parastoo or other related threat actors in energy and defense domains.