Using simple techniques available to any security vendors looking at VirusTotal data, ICNA has found and clearly identified that the hacker xman_1365_x as being behind the StoneDrill and NewsBeef malware.
xman_1365_x is self-identified on forums as Mahdi Honarvar from Mashad. This is shown to be linked to the third wave of attacks by the Shamoon-2 wiper malware.
Not being content with being exposed 3 years ago as a member of the Cyber Army Institute of Nasr, he has continued to work for the Kavosh front company, and this now shows that he and others, through their poor security procedures, have enabled others to easily link the malware back to the Iranian State, inviting retribution from those who were affected.
The size of the NewsBeef and StoneDrill attacks suggests an organized team effort. Searches have revealed he could be part of an organized group. Some of those that Iran Khabarestan exposed were researching and developing spyware against conscientious and political opponents of the Islamic Republic might also be involved? They are as follows:
He is head of the fake Kavosh company and uses the email address [email protected] His email address, along with the address of [email protected] are seen on the barnamenevis.org programming forum. This has a large number of Iranian users and others could have been recruited from here to help him develop his spyware. Are there others on this forum who have been working for the State?
Behzad Shamsi Achachluei
Spyware and malware developer for smartphones, uses the email address [email protected]
Beiki discovers vulnerabilities and informs the IRGC so that they can spy on people and start cyberwars. He uses the email address [email protected]. His own resume states that in the past he has been a ‘Malware Analyst, Kavosh Security Center, Tehran’
Hoseinzadeh is a spyware developer and uses the email address of [email protected]
Torkashvan is involved with research and development -R&D- of cloud-based attack systems, working as a malware developer. He uses the email address [email protected]
Sayyed Javad Sayyedhamzeh
Sayyedhamzeh is a spyware and destructive malware developer using the email address of [email protected]
Heidariyan codes malware to spy on Iranians and he uses the email address [email protected]
Nikju -Nikjoo- works on coding malware to spy on Iranians and his email address is [email protected]. Nikjoo has been careless in the past, posting his links to Kavosh in his resume.
Paryar also codes malware to spy on Iranians and he uses the email address of [email protected]
The original blogpost where this information is listed is from is on Iran Khabarestan available HERE. Two of those indicted by the USA FBI in 2016, Hamid Firuzi and Nader Saedi are also named in the article.
It is clear that the attackers have made security mistakes throughout their operations, exposing many details. ICNA is sure that security firms will continue to monitor the malware attacks. The IRGC spyware programme is obviously disorganized and careless and far from enhancing the reputation of the State, it is exposing itself and its operators to revelations by those with the most basic of analytical skills.