Credit: Artem Oleshko/ShutterstockAn individual using the Lab Dookhtegan pseudonym has leaked a set of hacking tools belonging to one of Iran’s most sophisticated espionage groups, often identified as the APT34, Oilrig, or HelixKitten. The leak is similar to that of the NSA hacking tools by the ShadowBrokers group, but the two leaks are likely unrelated.
An Insider Threat?
ZDNet reported today that it had a Twitter conversation with Dookhtegan, who claimed to have worked for the group’s DNSpionage campaign. The documents that Dookhtegan leaked on Telegram contained not just source code for hacking, but also sensitive information about the Iranian espionage group's victims.
Dookhtegan also seemed to have a grudge against the Iranian Ministry of Intelligence, which he called "cruel," "ruthless" and "criminal” in some of the documents leaked. He also suggested that more information about the “crimes” of the minister would soon be revealed. Despite all of this, it’s not clear if Dookhtegan was actually part of the Iranian espionage group, or if he was really working for a rival intelligence agency and trying to publish misinformation.
Iranian Espionage Group to Change Toolset
Security experts from multiple cyber security companies are now analyzing the leaked tools and documents. They believe that the Iranian group is likely to change its toolset so that it can't be easily recognizable and, therefore, see its operations blocked by new security features and anti-malware tools.
Dookhtegan had also said on Telegram that he destroyed the control panels of the APT34’s hacking tools and wiped their servers clean, so the Iranian espionage group may have no choice than to start over anyway.
The cyber security experts also think that we may see some copy cats using these leaked tools soon in false flag operations. However, because the tools aren’t so sophisticated, as NSA’s EternalBlue seems to be, for instance, which seems to be the gift that keeps on giving for malicious hackers, it hopefully shouldn’t be long until they are no longer effective against most computing devices, forcing criminals to stop using them.