Iranian IHU EWCD Malware Domains
ICNA have already posted about the links between malware here, and the Iranian State. We have done some further research.
In early March 2017 the Kaspersky report identified several domains associated with malware, including:
- securityupdated.com and
Further research identified the IP addresses that these websites were hosted on. Querying these addresses on the sites gives information on SSL certificates used by IPs/websites.
Having the same SSL certificate is a definite sign that the server is owned by the same person. ICNA found that there was one particular SSL certificate that was common to these four IP addresses and also three additional domains:
- microsoftupdated.net and
Online WHOIS information on reconnectedbrowser.com shows the registrant of the website used the Iranian -Tehran- phone number 98-21-22444784 and email address of: [email protected]. This phone number is associated with the email address of [email protected] which appears on the website http://conf.ihu.ac.ir/node/147 under the article “Intelligent Security C4I network to identify invaders” and is listed as a “Security expert at the Research Center Afaq“.
Reconnectedbrowser.com can be linked to the Imam Hossein University -IHU- through research. The IHU is funded by the IRGC; this provides a clear direct link to the Iranian State.
Kaspersky only tentatively suggested a link to Iran, through the use of Farsi language text. The link ICNA has found is more direct.
Imam Hossein University EWCD
The IHU is known to have its own Electronic Warfare and Cyber Defense -EWCD- department. The EWCD also hosts the Iranian National Cyber Defense Conference, which covers topics such as cyber strategies, cyber attacks, vulnerabilities, cyber risks, cyber command and management principles, cyber defense tactics and techniques and Basij cyber training.
Considering the malware, the link to IHU and the term “Electronic Warfare” in the department’s name, it is reasonable to think that the IHU’s EWCD department is linked to these destructive cyber operations. It is clear that the attackers have made security mistakes throughout their operations, exposing many details. Kaspersky say they are going to continue to monitor the malware attacks, as will other security organizations, we are sure.
The IRGC spyware program is obviously disorganized and careless, and far from enhancing the reputation of the State, it is exposing itself and its operators to revalations by those with the most basic of research skills.