Menu Close

BlueLeaks: US Law Enforcement feared Iranian hackers

July 1, 2020

According to recently leaked documents by Anonymous, US law enforcement feared cyber attacks from Iran, specifically after the murder of General Soleimani in Iraq on January 3, 2020. While the threat of these attacks has been reported on in the mainstream media multiple times, these documents give further insight into how US law enforcement, specifically on a state level, perceived and planned to mitigate the Iranian threat.

The documents also shed light on how US citizens were monitored on social media, with examples of US citizens being included in reports published by fusion centres. These social media posts were often used to assess threat levels.

Iran’s use of the internet to attack foreign targets is nothing new, and mentions of Iranian hackers comes up many times in the leaked documents. The first document worth mentioning is a leaked document from the California State Threat Assessment Center (CSTAC) dated June 2013.

According to the report, Iranian hackers attacked US infrastructure in May 2013, and had previously conducted several attacks on Israel. This was cited as a reason to be cautious about Iran’s capabilities. The report does not mention any threats of attack on the US, but mentions “non-stop attacks” on Israel from Iran at that time.

The next notable document is a detailed manual from the Florida Department of Law Enforcement (FDLE). This report talks about the history of Iran’s cyber attacks, the perceived motivations for those attacks, and the perceived capabilities of their hackers.

Offensively, they want to take advantage of the asymmetrical nature of cyberspace warfare, tactics similar to those used in terroristic and guerilla warfare. Thus, Iran has, and likely will continue to, put heavy emphasis on cyber espionage…

Source: https://drive.google.com/file/d/1VPoEDFPjhCZ8GT3rJk0pGLfOB9ejVC0I/view?usp=sharing

Interestingly, the report notes how attacks from Iran went down when the Obama nuclear agreement was active, but spiked after the deal was torn up by Trump.

3 Florida websites were defaced by pro-Iranian hackers, but there’s no evidence to suggest it was Iran. Rather, it was likely domestic hackers that held pro-Iran beliefs.

More recently in January, the SouthEast Florida Fusion Center (SFFC) put out a warning about the killing of General Soleimani in Iraq, and how the US expected retribution from Iran. The report doesn’t specifically mention hackers, however, it cited Twitter posts where US citizens had made violent remarks.

Due to this recent event that occurred in Iraq, individuals have taken to Twitter posting derogatory remarks toward South
Florida, the State of Florida, along with President Donald J. Trump’s visit to his residence in Palm Beach.

Source: https://drive.google.com/file/d/18rsu1JljocBSnL5aHu8NfKCAw-c9ecAO/view?usp=sharing

For reference, 2 of the cited tweets are included below.

While the first tweet directly refers to violence and World War 3, the second is a insinuation that Iran should go after Trump in some way. Still, it was included in the report.

Despite being included in the report, these 2 tweets are still on Twitter, and the accounts are still active.

A report from Homeland Security, describes multiple website defacements with pro-Iran messages, specifically the defacement of the the Federal Depository Library Program. However the report assesses the attackers were likely non-state actors. One attack on January 3, 2020 was tied to an Iranian cyber criminal with the screen name Mrb3hz3d. The report cites a private cybersecurity firm – FireEye – numerous times as their source for intelligence.

Additionally, the report contains the IP address 212[.]92[.]114[.]228 – which is where the library website attack was suspected to have come from. According to Whatismyipaddress.com, the IP address is from the Netherlands, and has been included in 3 different blacklist databases.

It is likely whoever conducted this attack spoofed or altered their IP address, making tracking the exact source difficult.

The last significant document is a report from the US Department of State, meant for both the private and public sector. It is interesting to note how US law enforcement and private industry share information to and from each other in this way.

While Iran’s cyber operations have mostly focused on the Middle East, it does have a well-documented history of using its cyber capabilities to target U.S. government and private-sector entities in response to U.S. foreign policy decisions.

Source: https://drive.google.com/file/d/1i5sLtu7zxrp26Jtls0dtsiHO6l2mpGW7/view?usp=sharing

Like other reports, this report does not mention credible threats, but still worries about Iran’s potential to carry out an attack, especially in light of Soleimani’s murder.

Of course the US government has an interest in mitigating attacks from Iran, especially now that Iran has an increased incentive to do so. However, these documents shed light on how even US citizens can get inadvertently monitored or included in reports just based on what they write on social media.

Granted, the threats included in the linked fusion report cite violent remarks, and the people that made those statements ought to have inspected some blowback.

Either way, these documents raise further questions about just much domestic social media US law enforcement monitors. Whether it is domestic protest groups, or overseas hackers, it seem the United States has its eyes everywhere.

A good reminder never to joke around about extremist or violent activity online, as this has the potential to incite others. There have been unconfirmed rumours that private messages could be monitored in this way. It is also possible for government agencies to get into your phone and turn on the listening device or webcam. Better to be safe than sorry.

On top of that, one off-handed remark or insinuation could be enough to get you on a list to be monitored. Be smart and keep your online conversations peaceful. You never know where your tweets or Facebook posts might end up.

Article by: Mark Slapinski

Disclaimer: Access to these files is for educational purposes only. These files were originally made public by Anonymous at hunter.ddosecrets.com/datasets/102 and have since been publicly distributed on every social media channel including Reddit and Twitter by users worldwide.

  1. California State Threat Assessment Center, STAC Bi-Weekly Review
    June 2013
    Google Drive – View or Download
    https://drive.google.com/file/d/1bwA8l55EOzaXIrmBJc7XcrepkoihdjE7/view?usp=sharing
    File Dropper – Download
    http://www.filedropper.com/20130621stacbiweekly208
  2. Florida Department of Law Enforcement, Strategic Assessment
    July 23 2019
    Google Drive – View or Download
    https://drive.google.com/file/d/1VPoEDFPjhCZ8GT3rJk0pGLfOB9ejVC0I/view?usp=sharing
    File Dropper – Download
    http://www.filedropper.com/032019overviewofiranscyberthreatlandscapefouo
  3. SouthEast Florida Fusion Center, Situational Awareness
    January 3, 2020
    Google Drive – View or Download
    https://drive.google.com/file/d/18rsu1JljocBSnL5aHu8NfKCAw-c9ecAO/view?usp=sharing
    File Dropper – Download
    http://www.filedropper.com/usiraniantensionsituationalawareness
  4. Homeland Security, Intelligence Note
    January 24, 2020
    Google Drive – View or Download
    https://drive.google.com/file/d/107wd4LTAM1Fcy2Z_0a8B7ROw4GPdLvme/view?usp=sharing
    File Dropper – Download
    http://www.filedropper.com/dhsindefacementsofuswebsitesfollowingdeathofqasemsoleimani
  5. US Department of State, RISC Report
    January 2020
    Google Drive (View / Download)
    https://drive.google.com/file/d/1i5sLtu7zxrp26Jtls0dtsiHO6l2mpGW7/view?usp=sharing
    File Dropper (Download)
    http://www.filedropper.com/1uosacinteladvisoryretaliatorycyberstrike

Leave a Reply

Your email address will not be published. Required fields are marked *