Robin’s Newsletter #211

3 July 2022. Volume 5, Issue 27
'Hacktivists' execute cyber attack against Iranian steel works, 'mercenary hackers' swaying legal battles, and malicious insiders
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Cyberattack claimed against Iranian steelworks 

Spectacular footage was posted online by the Gonjeshke Darande (Predatory Sparrow) ‘hacktivist’ claiming responsibility for a cyberattack against three Iranian steel companies, later confirmed by state media in Iran.

Operations were suspended as a result of the attack, though the CEO of one of the affected companies said that “the attack failed and no damage was done to the production line.”

Sparks fly and engulf large industrial machinery in a freeze-frame from the video showing the alleged cyber-attack against one of the Iranian steel mills

View the full video on Twitter: @GonjeshkeDarand

Kinetic impacts stemming from cyber-attacks are, fortunately, few and far between - making this all the more of a stand-out incident. A previous incident, also targeting a steel works, was reported by the German Office for Information Security (BSI) in 2014.

But while the sparks flew in the video of the attack, the attack itself appears to be far more controlled, as The Grugq points out in his newsletter The Info Op. Of particular note is “the level of effort that the operators took to make sure that the attack didn’t harm people. Not only did they take pains to ensure this, but they also made it a pillar of their announcement, along with proof that they took those steps.”

Then there is not only compromising the industrial control systems but also the facility’s CCTV to provide evidence of the attack. While not unfeasible, these, combined with the slightly odd target selection for a ‘hacktivist’ group points to it being a state-sponsored group conducting an offensive cyber-operation, but also trying to manage the fallout and establish ‘norms’ around these types of attacks.

Tom Uren has more background on this, and previous Predatory Sparrow attacks on Iranian targets, which included similar forewarning and careful planning in the Seriously Risky Business newsletter. (German steel mill, 2014), (Grugq) (Srsly Risky Biz)

How mercenary hackers sway litigation battles

A special report from Raphael Matter and Christopher Bing at Reuters looks at the relationship between Indian ‘hackers for hire’ and US private investigators and law firms. Regular readers will recall the name BellTroX InfoTech from a Citizen Lab investigation in 2020 (vol. 4, iss. 24) who obtained information from the opposition party’s email accounts to provide intelligence on legal strategies or other evidence. It’s a good read and example of the ‘clock and gavel’ tactics that some resort to behind the scenes to influence legal battles.

Interesting stats

39% of all UK crime in 2020-21 was fraud, according to the Office for National Statistics, with £1.3 billion being misappropriated by criminals in scams against UK banking customers, says industry group UK Finance

18 0-day vulnerabilities have been found being exploited in the wild so far in 2022… and 50% are variations on previous vulnerabilities that “could have been prevented with more comprehensive patching and regression tests,” according to Maddie Stone of Google’s Project Zero team

In brief

Attacks, incidents & breaches

  • Several Lithuanian government services were taken offline for several hours by distributed denial-of-service (DDoS) attack after the country refused to allow Russian exports of metal and coal through the country to the Russian exclave of Kaliningrad
  • Norway has also blamed a “pro-Russian group” for DDoS against public and private providers of ‘important services’
  • AMD is investigating claims that the RansonHouse group compromised its network and stole 450GB of data last year
  • NFT Marketplace OpenSea has disclosed a data breach this week caused by an employee at a supplier downloading email addresses belonging to users and newsletter subscribers. The addresses could be used to target phishing attacks for crypto-assets
  • Book publisher Macmillan has shut down its network and closed offices while responding to a ransomware attack, leaving the company unable to process new orders
  • Names, date of birth, gender, race, driver’s license number, addresses, and criminal history of California concealed/carry weapons permit applications between 2011-2021 leaked by the state’s Firearms Dashboard Portal
  • Last week’s $100 million theft from crypto-currency Harmony (vol. 5, iss. 26) has been linked to North Korea’s Lazarus group by Elliptic
  • Carnival Cruises has agreed to a $1.25 million fine for the way that it handled a 2019 data breach. The breach was disclosed in March 2020 (vol. 3, iss. 10) and affected 180,000 employees and customers whose names, Social Security, passport, driver’s license, health and payment information was compromised by attackers

Threat intel

  • The LockBit ransomware group has released version ‘3.0’ of its ransomware-as-a-service operation and, in parallel, launched a bug bounty programme — usually the sort of thing modern tech companies use to engage and reward security researchers for finding vulnerabilities in their platforms — with payouts for identifying vulnerabilities in websites, providing personal information, and bugs in encryption software that might allow the safe recovery of files, amongst others
  • Evilnum APT group carrying out renewed espionage campaigns that align with the interests of Belarus, says Zscaler
  • The ‘8220’ group have made ‘notable updates’ to their malware targeting Linux systems, says Microsoft. Vulnerabilities in Confluence and WebLogic are being exploited to compromise systems and drop a crypto miner and IRC bot
  • Chinese foreign language students were targeted for ‘translation jobs’ working for Hainan Xiandun, allegedly a front company for the Ministry of State Security (MSS) APT40 group, to analyse stolen documents from espionage operations]
  • Android malware disables Wi-Fi, subscribes to premium services and intercepts/suppresses SMS confirmation messages, in a new ‘toll-fraud’ campaign says Microsoft
  • Information and indicators of compromise (IOCs) on MedusaLocker ransomware from CISA


  • Vulnerabilities found in 25 plugins for the Jenkins open source continuous integration (CI/CD) platform
  • Public proof of concept published for 9.8/10 remote code execution vulnerability in Zoho ManageEngine ADAudit Plus. The bug, CVE-2022-28219, was patching in Mach

Cyber defence

  • CISA is urging federal agencies and companies to adopt ‘Modern Authentication’ options in Exchange Online before Microsoft removes ‘Basic Authentication’ options at the beginning of October. While modern options allow the use of multi-factor authentication, the basic routes (used by many legacy applications) are still currently enabled in parallel, allowing attackers to circumvent these additional protections The change is likely to be disruptive to organisations that aren’t planning for it, despite Microsoft giving over a year’s notice: here’s a recent update from the Exchange team on how to prepare
  • Guidance from NCSC on reducing data exfiltration by malicious insiders — you’ll be disappointed if you hoped for a ‘turn this on and be done’; it’s down to you to step through in a structured manner — but also a useful list of relevant case studies at the bottom
  • After rising an estimated 92% in the last 12 months, cyber insurance premiums may be stabilising allowing “cautious optimism” of brokers, says Marsh
  • Google has consolidated its password managers in Chrome and Android

Security engineering

  • Congrats to Pedram for the launch of SecDim Play, a security game where you get points for finding and fixing security bugs


  • Mozilla is adding a feature to its Firefox web browser that removes tracking parameters from hyperlinks that are used to track users sharing URLs and those who are clicking on them

Public policy

  • The NATO military alliance will improve civil-military cooperation and create a ‘rapid reaction’ cyber force, following a meeting of leaders from all 30 allied countries in Madrid this week
  • The US Department of Justice is targeting to handle 65% of ransomware cases reported to it within 72 hours by the end of September 2023


  • The US Federal Trade Commission (FTC) is suing Walmart for failing to clamp down on fraudulent transactions while pocketing fees from scammers using its money transfer services. Walmart has called the suit “factually misguided and legally flawed”
  • Cyber regulations for pipelines operators are being relaxed by the US Transportation Security Administration (TSA), with reporting deadlines doubling from 12 hours to 24 hours and a performance-based method that gives greater flexibility and choice over how companies protect their digital systems

Law enforcement

  • Sebastien Vachon-Desjardin, a Canadian extradited to the US in March, is to plead guilty to four charges around his involvement in the NetWalker ransomware gang. Alongside his arrest earlier in the year, 719 Bitcoin and $790,000 in Canadian currency were seized
  • Ukrainian police have arrested nine people for operating over 400 phishing websites believed to have been used to steal $3.4 million from around 5,000 victims

And finally

HackerOne employee terminated for selling bug reports on the side

Bug bounty platform HackerOne has terminated an employee following an investigation that found they were using their position reviewing vulnerability submissions to steal bug reports and sell them on the side… using the company’s own platform. It seems they had pretty terrible opsec, as network traffic provided evidence linking their staff and sock puppet HackerOne accounts and it seems they didn’t waste any time getting to ‘work’ as seven fraudulent claims were submitted to participating companies before they were terminated within 3 months of starting their employment.


  Robin's Newsletter - Volume 5

  Gonjeshke Darande (Predatory Sparrow) Iran Kinetic cyber Hacktivism Cyber-attack Cyber norms Safety BellTroX LockBit Authentication Fraud