Ansar Group. Is a new APT born?

In the current cyberspace, a new Iranian state-sponsored hacker group has been identified.

The operation was performed by the Labdookhtegan hacking group, already known for leaking tools used by APT34.

All started with the discovering of an Iranian hacking team named “Ashiyane”. Their members have a close cooperation with the Islamic Republic and helped in the recent years indentifying Iranian citizens who participated in the national protests.
Several members have been identified: one of them is “sir shahroukh“, who is also CEO of the company “Pishgaman-e dad-e-tala-ei haraz” and he has close ties with the Islamic Revolutionary Guard Corps.
Another member is “satanic2000”, who was already known in 2013 with the Stars Hacking Team for collaborating to the written of Joomla exploit, which used the Arbitrary File Upload Vulnerability.

Joomla exploit

Thank to Labdookhtegan group operation, satanic2000‘s server has been hacked. In the compromised server, evidence of the plots of the former members of Ashiyane, in cooperation with the regime, were discovered.

satan2000 hacked server

The stolen information clearly expose that he works for the Islamic Republic of Iran and that he is a member of the hacking and security group Ansar, a group that is responsible for a cyber attack against Aramco (multinational petroleum and natural gas company) in Saudi Arabia.
The goals of hacking this company are about including getting access to this company’s scientists, getting access to its oil contracts, methods to infiltrate this oil company, actions for gathering information, carrying out social engineering against the company, etc. (here the translated document)

The following Ansar Group presentations: “Operations Report for the Persian Year 1398“, “Review of the annual report for the year 1397” and Annual report for the year 1398” have been leaked and they show military projects, telecommunication projects, energy projects and planning and developing malware.
Furthermore, in these slides Social Engineering attacks are shown and they aim to steal private information and use them for its illegal activities, started in March 2018.

Following the translated summary post that describes some of their activities:

1. Hacking hotels in Turkey, Georgia, Armenia, and access to the hotel reservations to follow our innocent compatriots outside the country (here the translated document).

2. Hacking websites for searching our compatriots according to their mobile phone numbers.

3. Hacking websites in Saudi Arabia and Jordan.

4. Hacking important companies in Arab countries.

5. Hacking infrastructures in Arab countries, Israel and Turkey.

6. Hacking oil fields and airports in the region.

7. Hacking the website on sanctioning medicine in order to influence the public opnion and to mislead them and to divert the responsibility for the medicine crisis from this desperate regime.

8. Sending out fake emails in order to attack the computers of compatriots in the region and steal their information.

9. Hacking news websites in Iraq in order to publish fake news and influence the public opinion in Iraq, even if that hurts the national interests of an ally country such as Iraq.

Other detected malicious activities are: hacking the office for medical services of Saudi Arabia’s army forces that belongs to Saudi Arabia’s ministry of defense, stealing information about Saudi military personnel and using them for their own purposes.

The Ansar Group also attacked the satellite company Thuraya that belongs to the company “Yahsat” which provides telecommunications coverage in more than 161 countries in Europe, the Middle East, North, Central and East Africa, Asia and Australia.
This hack provides this group the capabilities for stealing customers’ information, locating, intercepting and monitoring millions of civilians.

What has been said so far is only a small part of all the Labdookhtegan hacking operations that are underway, therefore surely there will be updates.

So, is it possible to define Ansar Group as a new APT?


In the end…Italians pay attention!
It should not be forgotten that the Labdookhtegan operation started with Ashiyane hacking team.
From quickly research, it come out the last attacks performed by a member of this group, “Milad Hacking“, defaced the following webistes.
As you can notice, all those webistes are Italians.

Last MiladHacking defaced websites