Loading summary
A
Hello everyone, this is Tom Uran and I'm here with the Gruk and a special guest, Hamid Kashvi, who is the CEO and founder of DarkCell. This week's edition is brought to you by Push Security which makes an in browser agent to protect you from all those bad things that come in through the browser. Find them at pushsecurity.com Hamid has a special interest in the Middle east and has been researching the cyber goings on there for like over a decade. So Hamid, the reason we're talking to you is that there's been a series of leaks that's known as Kitten Buster which is basically blowing the lid on a particular IRGC related cyber espionage group which is known as charming kitten or apt 40. I'm sure it's got probably half a dozen different names. Now we're going to talk about what's in those leaks and the Iranian cyber espionage scene in general. But one of the first things Gruk and I spoke about this and we had this kind of not a difference of opinion but we speculated that there's two different paths here. One path is that all this exposure like it's from a western point of view getting outed is very bad news. But we also speculated that perhaps it would actually be, if not a reward, a recognition.
B
It's validation really.
A
Validation and so that it could actually potentially be good for the group. What do you think?
C
Well first let me say hi to all the listeners and viewers and thank you very much for having me. It's nice to see you virtually face to face as well again. And regarding the subject of today's discussion, I would say I listened to like I think one of your recent episodes that you were touching about the same subject of whether it's helping them or whether it's going to disrupt the operations. And you mentioned, I think it was some examples in other countries or I think it was the apt one that basically ended up forcing restructuring the whole threat actor group behind the scene and basically make them disappear and switch to different organizational way of doing things in case of Iran, based on what I've seen and the way things work there, I think it's quite literally the opposite if anything, whenever you are like they are literally the poster boys by definition and literal meaning of a poster when their name appears up there in reward for justice or sanction list and stuff. I know cases and I know individuals that have literally got rewarded and have been promoted and have been securing extra budgets for extending their work so solely based on the fact that they have Made a big splash in media and they literally go, hey look, I've been doing some awesome work and I'm a big deal, so give me more of that. And they do that. So from that angle, if you look at it, it's actually helping them if anything. But there has been.
B
Why don't more threat actors OPSEC fail spectacularly? Oh no, I accidentally left my ID out here. I hope no one reports me to the sanction list.
C
Yeah, Iranian members of these groups. We're doing it actually, believe it or not. You probably find it in early CTI reports from mid to late 2000s that people would actually put it in their LinkedIn profile that we are doing this kind of work. I'm not joking. So very proud work of that. I mean it tells something that either they don't give a shit about opsec or they deliberately. Which I don't think it's actually deliberate, but yeah, there is no shame in that. And the other part is, I mean it's not entirely ineffective in a sense that exposing them will just do nothing. Of course it has effects and of course it will force them reorganize, retool maybe and sit and think what happened to them. It also has some less discussed probably consequence for the specific groups and people that were outed. And the way it works is that whenever something like this happens, being as simple as a ransomware case or a simple big name compromise, all the way down to exposure of like a company that's doing security projects, but it's actually like hacker for hire for one government organization like Mois or the irgc. Counterintelligence brands. They go medieval. Ministry of Intelligence. Yeah. And security. Yeah, they go medieval on them. They, they arrest people, they, they interrogate people, they come turn things upside, upside down. So I'm pretty sure since this thing happened there have been some serious questioning, some arrests. I'm just guessing, but if it's anything like the previous cases, which were way milder versions of similar incidents, people have been dragged out to be questioned and that effect exists.
B
So that's sort of like a cup of tea, comfy chair, nice little 30 minute chat. You know anything about this? No, I don't. Okay. Well, it was good to see you again. I'll call you a taxi and get you home now.
C
Yeah, exactly.
B
I'm assuming that's, that's what happens when the Iranian Secret Service.
C
Yeah, they're pretty hospital. I mean Iranians, we are known for.
B
Our hospitality, warm and generous people. So I very much that sort of.
C
But, but yeah, so there is this aspect of it that, like, it's not just fair to say it has no effects, it has impact in the psychological side as well. That holy something happened and we have no idea how it happened. Now we kind of do. But that forces some serious questioning and trying to, like, assess the damage and prevent something similar to that, like, happening in similar cases where the staff were charged with actual espionage, regardless of, like public exposure leaks. There are some cases that goes back over 10 years. They literally had to close the shop, like close that office. And some people were arrested for long term in prison more than five years. Some people literally had to refresh their id. Like, I know that they are living under new identity in the country, not just operating and pseudonyms. So it has effects. But the other interesting aspect of it, which again, I think needs a little bit of credit and needs to be discussed a bit more, is that the hacker space in Iran has been evolving like any other country, and quite a lot. Part of it is because the first generation, which would have been us from 20 years ago, joining this community, we had one way of joining the scene, doing things, operating, doing business. And at some point the government realized, oh, this is an untapped market, let's join it, let's disrupt it. And naturally, or historically, Iranian government has been hostile against any work of this kind. So you don't do it unless you're doing it for us, and you don't do things unless you let us know first or unless you prioritize us first. So that caused a lot of tension with a lot of people, including myself, which if you don't agree with their ideology or you don't want to work with them, you're not going to have a smooth ride in the long term. And that whole suppression got aggressive and extreme for a period, I think, between 2005-2010, to the point that they literally forced pretty much all security forums, all open neutral gatherings and communities to dissolve and disappear and close, mostly out of the fear of being outed openly and unwillingly, like those LinkedIn profile cases that I mentioned, because they realized that, okay, this is a huge opsec failure, and this is also their best source of recruitment. So these hacker communities, so they know where these people are, they're recruiting them and they reach out to them, but so do every other intelligence agency in every other country. So they realized there was a threat there and they forced closing shops and they tried to, like, not in a nice way, steer this community into working and joining these front companies and these research groups. It didn't work out well, long story short. So they had to rethink it and fast forward five years again. Then we started noticing this pattern of sugar coated security training companies and academies and whatnot. So that was their new way and new like new style of.
A
So you're saying they tried to force people to work for them and just didn't work.
C
But I mean a lot of people joined. Yeah, but it overall it just, it damaged the community and it damaged the hacker space mostly. And you can see the result of it in test technical proficiency of people as well. You don't see any deep level research, any proper like zero day work coming out of that side of things. Either the government side or even the open community that people actually just share like most other countries. You see a big deep and big gap of deep knowledge and it's because they disrupted the natural way of growing and getting into the space and then there was no alternative. So people either feared out of this field and went, I don't know, do business, do chicken farms and run supermarkets instead. It's less, less concerning, less demand from the intelligence services and they live a more peaceful life. But also beside a couple of people that were doing it from the academic side, you don't see anything interesting happening or coming out of that space either open or even in tooling or the ttps of threat actor groups that are working for that nation.
B
I was just thinking exactly this which is like if you go back 15 years, basically the Iranians were using PHP scripts and commercial rats that they could buy for like Windows boxes. It was very, it was basic stuff and so was North Korea. Right. And then if you go forward 15 years, North Korea is doing multiple O days in Chrome. They're doing you know, very complicated crypto hacks where they have like a 15 minute window of like JavaScript injection to do like all this stuff. Like it's an impressive improvement. Iran seems to be sort of at the. They're still doing the PHP scripts, they're still doing like the commercial. Like it's not necessarily quite that bad but it just, there's been this meteoric rise of.
C
They're past that I can tell you they're past that point. And you can see that since actually few years ago, results of it result of this change of course of action, specifically doing more orchestrated and more organized trainings by people that are actually have their hands dirty and they are actually like hands on people. They have been training and running operations in some cases well at the same time. And these people are teaching, trying to establish that, okay, this superficial work, phishing works, of course it will always work. But there is this whole interesting area of doing Windows internals in trainings and doing red teaming training as they call it and as they promote it and commercialize it. But if you study some of these training materials and the subjects that they are training, you could see drips of it pouring down into public apt reports that are coming down from Iran or even more interestingly, the very same people that are doing the training. You find their personal traces in live samples that were caught attributed to one of these Iranian threat actor groups. But to go back to the grug's point, they have been heavily investing for past, I would say seven, six years ago until now. They have started to realize that okay, there was this knowledge gap that I mentioned and they try to make it more friendly by opening up the space a little bit more. Even though it's still through these front companies that have connections and you cannot still do independent proper security work and deep work without getting bothered. So whatever we see is active in the community, it's very safe to assume that there are some connections either directly or indirectly as a pool of talent and identifying people that. But they realized this gap and they started investing on it in a proper way by training and by training the right stuff. And what's interesting or is in demand by the Iranian threat actors which like in North Korea, you mentioned browsers. Iranians have a historical interest in IoT devices and like SCADA systems and industrial systems and whatnot. Because historically we have seen how they try to wreak havoc by attacking different countries, Israel, US and other nations. The way and the style of their attacks has been more focused on the infrastructure. So naturally they need to invest on that part as well. And they did that. And now like since a couple of years ago we are starting to see a lot of these pseudo names on Twitter popping up or on Telegram that are like left and right hacking into like Israeli or American companies. And their entry point is hardware and is this industrial control system. So that training has actually worked and paid off and now we're watching the result of it and it's going to go get more because if you look at job advertisement inside the country that are again for red teaming jobs, that's how they sell it. There is almost, I mean not all of them, but majority of them include this specific subject like hardware hacking and getting into industrial systems, there seems to be a hot demand on it. And beside that there is also proper shift and attention to the tooling, implementation like training operating system internals that, okay, you land in there and you deploy web shell. What do you do next? You need to create a proper implant. You need to have proper cryptography, you need to have proper no bus implementation and whatnot. The typical tradegraph work. They're learning it and they have learned it and we start to see that actually getting implemented in the new tools that are getting captured and like samples are out there. You see a notable difference between the samples that are mentioned in CTI reports today and this year versus five years ago. Back then the entire tool chain of muddy water, for example, was based on web shell scripts and some C and PowerShell scripts. Like if you look at five years ago or go beyond that, even more simple stuff now they actually have lightweight disposable implants developed in lower level languages for that specific job. And they are actually incorporating some EDR bypasses. That shows that there is a growth in that side of knowledge tree where they actually try to focus on technical sites that matter operationally, not just looking fancy or over engineering things. They encrypt things enough to bypass the edr. They encrypt enough to not get disrupted during their ransomware attack. For example, they don't go over engineer like Stuxnet style or I don't know, Dooku style. They are not there yet. They are investing, they want to be there, but they don't have the right talent yet. And they don't have the need for it either. Because the phishing works. Why? Why spend half a year developing something when a $5 infrastructure phishing works as well for an operation? And then beside that there's also this new trend of. I mentioned earlier that we rarely, if ever, I don't actually recall any case, any notable case that Iranians have used proper ODA to pop targets other than some random junk softwares, different operations. Yes, but we have never seen, not that I know of a case where an Iranian attributed threat actor group go pop, I don't know, firewall appliances or some commercial software at scale. And then we realized, oh, there has been like 101,000 infection cases. I don't recall any cases like that. But we're gonna get there soon as well because there have been investments in trainings on that side of things as well.
B
I should probably look at Fortinet because then I can just use their web shells again.
C
I literally use that for. I do like try to help some people to get traction into this field. And I literally use these firewall appliances as the hack me thing. Like the OS webgoat is outdated. It's not as vulnerable as these appliances.
A
So you're describing Iran, I guess the way you've described it to me it sounds like they've at some point realized what we're doing is all wrong in terms of how we harness the community and the talent we've got. And it sounds like they flipped a switch. But do you know why or how that happened? Like it seems to me that if you're a regime that has, you know, a way of operating which is like a hammer, we'll hammer people into submission and somehow they've, they've managed to turn it around and like it sounds actually from an Iranian regime point of view actually quite optimistic. You're describing a trajectory that's up and to the right rather than sort of bumping along.
B
Well, I was going to say like what you're describing is that Iran is becoming the threat actor, that they've always been represented. Like, they've always been presented as like these big bad terrible things while they've been using web shells. Yeah, it seems like they're now doing that.
C
So yeah, like thanks for mentioning it. Yeah, I mean they have to do that on the Western side and on the European side because they want to sell their products, they want to sell their services and you cannot go secure a multi million budget for a junkie product because someone is dropping web shells. You need to present them as the fourth like most capable cyber in the world. Which I mean sorry for like using Air Force, but yeah, let's not, it's, it's just nonsense in a way because we, we have, we have all seen the technical implementations on the operations. They work, they work down well as well. But to, to their credit, but this is not the threat actor group that's comparable to Russian birds or how Chinese are doing it and they, they drop all days like it means nothing to them. In Iran if someone has all day, it's like a golden egg that they have secured by some means and they, they, they try to be very careful with using it if they have anything. And that's a different subject we can talk about. But back to.
B
Yeah, I was just gonna say like to feed in exactly to Tom's thing is. So did they decide that they didn't like being like the, the fourth rate cyber threat and they just, they wanted to up their game so that they wouldn't like disappoint the, the axis of evil partners or like what drove them to suddenly become good?
C
Yeah, so I, I don't think that was the case because domestically they actually have even bigger PR going on about their capabilities. They boast a lot on TV and public media. And even when they threaten other groups in these like open letters or what I don't know what their memos that they leave behind under their pseudonyms that how advanced and how special we have been in during the operation, you see a lot of technical lies as well. But what I think actually triggered this and changed the course of actions and directions was mostly a the new generation of people. We are talking about a whole different breed of people and talented that I'm actually impressed talking with some of them and watching them grow as well. Independently. They are better educated on the base level and the foundation level that our first generation. Because a lot of people from our generation either came from the academic background which had some knowledge which was already outdated because of the way universities were in Iran, or people were doing it as a hobby and it didn't mean anything to them to go deep on internals of OSU or something. Unless it's extremely interesting for you. There was no systematic way of growing hackers. If I can explain it, if you look at the way the academic studies and university programs were shaped 20 years ago, 15 years ago, you wouldn't expect good technical people coming out of it that are a good base for becoming an advanced hacker or advanced actor or an operator. So if there was anyone or anything, it was out of a hobby or personal motivation. And personal motivation works at tiny micro scales. But you can't rely on it as a nation. You need a factory. You need to build the pipeline of producing talent. Which is.
B
Yeah, this is what you're reminding me of is it's. If you look at like how China did it, it's the same thing. Like for a long time they were just going with the like people who are interested or sort of self taught. And then they realized that that wasn't the future and they started investing in training. And I'm positive that that's what happened in North Korea as well. Like there's no way that they're running their teams now based on people who just happen to like computers. Like it's training. And so Iran seems to have had the same realization of like you can't run like you can't run a nation's cyber thing on kids who like computers. You have to go out and you have to teach them like find people who have some aptitude or some interest or whatever and then train them. And when you do that. Yeah, that's when you like if hits.
C
The fan, you need to have a thousand people that you can count on that at least 5% of them will come out as good talent. So you cannot just find random 10,000 people on Internet for him. You need to have to prepare a stage where people join and then you watch them and then you nurture them, and then you train them and then you pick up that 5% that's suitable for your work. So that's one side of how I would assume Iranians are getting into this direction and improving. The other thing is on the management side and the government side as well. Every couple of years, just like the US when the administration changes policies also change doctrines, change the way people look at things, change, the geopolitical interests and demands change. And all of that has also been, I think playing factor in what the actual cyber threat capabilities of Iranians are compared to 10, 15 years ago. And there is also this side note of what has been thrown at them. Iran has been historically very tightly, very harsh about how they get compromised, how they get popped. Pretty much anything we know about successful operations publicly mentioned in Iran is from companies that have nothing to do with that nation. They are not even active customers of any US or European base. But somehow you see this constant flow of Western CTI shops dropping details about operations against Iran without even being hired by Iranians to do that, or without even having they just happen to find ways to pretty efficient and successful ways as well to capture samples and study and then present it to the world that hey, this is how Iranians are now being compromised. But we don't ever or very, very rarely hear the Iranian side of that story. There are of course CTI shops in Iran as well. There are people that are doing forensics threat intelligence and some of them are doing reasonably good job as well.
B
Not that's going to be a really easy job. You just have one thing that says it was Israel and then search, replace the client name every time you need to.
C
Yeah, following that Microsoft guy, just I forgot his name. The Mossad or not Mossad threat model that you know what I'm talking about. Yeah, but so there are shops doing like threat intelligence work as well. And Iran is also systematically trying to reorganize themselves to be able to capture those attacks. Not that they have been actually very successful at it based on the outcomes of these attacks we can see. But the point I'm trying to make is that they have also learned and have made a system around getting hacked, finding samples, having people at it and throw money and time at it to study how it works, why it works, what technology, what implementation novel work is in that and repurpose it and sling it back at where it came from. And case point being the Shamoon attack. It was literally a repurpose of the same wiper. Not exactly the same, but I mean if you look at the technical reports that are available, it's a very direct copy of the approach to the problem, if we could call it or whatever you want to do. It was exactly that case that they were on the receiving end of wiper attacks. They got the sample, they didn't share it openly, they studied it and couple of months later they throw it back at an ally of the US because they assumed this is where it came from. And there has been multiple cases like that as well. Stucknet as well. They also changed course of action of how they look at things. They already had a grip on how to isolate an air gap networks. Not that it's been successful, but they had some ideas. That's why stuxnet is Stuxnet, because there was already some protections in place and it was not just go plug USB into a nuclear facility and hope that your implant works. There has been already a decent organizational way of isolating things and that's why stuxnet needed to be implemented the way it did. Or Dooku needed to be as stealth as it did because they knew that Iranians know how to capture basic stuff. There are more recent cases as well that you see pretty interesting attacks like by Israelis or supposedly like presumably like predatory sparrows or other threat actors that have been heavily hitting the financial and critical infrastructure in the country. And there have been samples like the maybe two cases only that Iranians captured and uncovered pretty interesting implants that were deployed on the ILO root kit. Ilo, lights out. I think it was the one of the reports that an Iranian company basically unmasked and revealed rumors say that they have hired some East European shops to help them do this. But also the failure in the implant in the technical side was I believe the main reason that it was captured because there was a problem within the update delivery of the implant. So it was still faking that. It's updating the the management software, the interface and faking the update is successful. But they didn't upgrade to the latest background photo or something like that, if I remember correctly. So that's how it was essentially caught that hey, this version 8 supposed to have this building background, but it's still showing the old version and they realize something is wrong. But nevertheless they, which just goes to.
B
Prove that most, most compromises are caught by someone going, huh, that's funny. Like, that's funny. Like the background didn't update. I wonder why that is. As opposed to like these packet traces are anomalous like this. This is triggering our spidey sense.
C
It's not that deep learning, like Hollywood style of like cti. It's usually this very, very basic stuff. But yeah, so the like, what I'm trying to cover is that they find these interesting cases that today they have not been any public sample of that specific case and couple of others as well that we know that they have been compromised. We know that very interesting networks, government networks and sensitive or classified networks have been compromised. But there is literally no single sample of that and not even a technical analysis. They have this policy of not mentioning a single detail about it unless they have an agenda for it. And they do private peer to peer warning to entities that they assume they are compromised or they are at risk. But even to them it's still a very tight lip way of handling things. And part of it is this general policy of they don't want to admit, I guess, that they have been compromised or do PR control of how bad the reputation is damaged. But I think part of it and the reason they keep it like that is actually to not burn interesting and technically useful intelligence that they have gathered this way. Because if it's still a no day, why would they out it? So when there's patches they would just keep it and add it to their own arsenal and repurpose it and use it elsewhere. So I wouldn't be surprised if some of the samples that we are still missing publicly and openly turn out to be used in some future operations against some other nations by Iranians similar to what like Shamon case was. And that also was the like little note to the main subject that Tom mentioned of why Iran is changing the way it is. Part of it is also this, like they have learned to actually study what's coming at them and repurpose it and translate those samples into incidents, into information, into knowledge, into operational capability. Operational capability in a reasonably decent way. I would say. It's still not like a proper factory, I would say, but it's there, it exists and they spend on it. And also the other way I would say things have improved and changed on the Iranian side is the fact that people are getting a little bit more interested in doing actual research and doing contract work for the government. That's in a similar way to how China has been doing it. Iranians have also realized that oh, that system actually works. Maybe they learned it from China, maybe they learned it the hard way by trial and error. But they have expanded on that side as well. So rather than trying to put everyone in a van and send them to an unmarked building somewhere in south of Tehran to do the hacking operation, they have learned that okay, actually we can be a little bit more relaxed, do remote works and we just proxy the works and outsource some of the operations or some of the tooling and capabilities and knowledge that we need. And then they have this structural system similar to what's been added in this charm kit and leak that there is an organizational structure to digest all the talent, all their works. And without like this compartmentalization is properly implemented in Iran as well. So you do something, you don't know where it's going to be used, when it's going to be used, by whom it's going to be used. You just know that you are tossing it in the black hole that's coming to you by the government. And they literally reach out to private sector companies, even those that are not exactly and actively a front company of anything. They just happen to be security companies that doing their own thing. But because you need to be approved and you need to be provisioned in Iran to work in this field, you must have some government wedding and approval and connection. So whether you like it or not, if you're actively working in cybersecurity, especially on the offensive side in Iran, you have like a dozen certificates, a dozen approvals and whatnot to be able to do actually work with government clients. And that links you to some of these like talent vacuum machines and operational outsourcing pipelines that hey, we know you're doing pentest in your company, you're not working with us. But if you happen to have this kind of capability, if you happen to be interested in poking that specific target for us, there is a good bounty for that and get back to us. And they multicast it through like the management side of those companies. There is not like a forum that they post and people go and watch.
B
And they don't have a ticketing and a queuing system where people go and.
C
Maybe they do it soon. Yeah, but there is this process of work going on as well. And some interesting cases have also popped up in my radar as well that.
A
Like so you say they farm out specific targets so that would that be as specific as like you know, a particular organization or a company or what have you? Yeah, it seems In China, it's here are broad strategic priorities. You know, we're interested in aerospace.
C
They do both. But the cases I've seen at least recently, were very specific. Like, they. One was quite funny that I heard that there was like a K bounty for anyone being able to hack, which is. I don't think I mentioned this one. Yeah, I mean, yeah, maybe Greg won't do it, but there are people that get excited for that and not knowing what they're stepping into. But these are very specific.
B
It's like getting paid $5,000 to travel into Israel and take pictures for, like, mice. Like, it might seem like a good idea if you're like, in Tehran and you're like, I could use $5,000. But as soon as you're like, in Tel Aviv with the cameras, like, excuse me, can you tell me to, like, the Mossad building? I have to take some photos like that.
C
They have learned a way to do it as well. Like. But there was a recent, like, very recent. I think I was reading it yesterday that in Israel, Shin Bet is actually warning the younger generation in the country that you are being actively targeted by the MIS to do, like, espionage. You don't know what you're doing, but this is.
B
They doing the telegram thing. Like the Russians.
C
Yes, Telegram and WhatsApp and I don't know what else I haven't done, really.
B
If you want to make some quick money doing some easy work, they start with that.
C
They start with basic, like, engage, engaging conversations. And then they slowly escalated into doing, like, in field operations and works and actually delivering. And I guess it works, otherwise they wouldn't be doing it. And otherwise they wouldn't be warning about it. So it works at some level.
B
I mean, that's the thing is, like, that's the. Sorry to keep cutting in, but that's exactly the process of, like, all human interactions. Like, you don't start out and be like, hi, you should work for us. Please break into the safe at work by your boss and give me these documents from that and I'll give you $250. Like, it doesn't go like that. It starts with the, hey, you know, you've got a bit of a problem. I can probably help you out. I can get you that $10,000 you need for whatever it is. But it'd be really useful if you could just write us a quick report about, like, Iranian threat actors in general.
C
Let's make it even more interesting. The very same, like, Kitten Busters repository that we're talking about in their last episode. Do you actually see traces of them spinning up cyber security companies in countries of interest? I believe Turkey or even Israel as well. But there was one specific name that I looked up and it exists. So they actually hire people under the COVID of doing pen test work or doing this kind of thing, just so they have an individual employed by them in this specific field. So for the future, if they need to do something, they have a cover story to steer the person into the right direction. And also they have been doing quite a lot of work which I didn't like openly or specifically put finger on, because it's hard to do that. And you don't want to mention everything openly. But one of the ways, like Iranians try to hire talent and sugarcoat it in a way is to hire people that are living in neighbor countries to do the operations. And that often comes in forms of international red teaming, as they call it. This is the typical way of finding.
B
And hiring such a red flag.
C
I mean, if you have never red.
B
Teaming, you know that like there's absolutely no way in hell you're getting hired in one country to do work in another country.
C
That's literally why I was planning to do this, like talking Farsi in a couple of days. Because me and you know it and we are like, holy, this is obvious. But if you go, if you're like.
B
20 years old and this is your first opportunity, you buy it. Oh, yeah.
C
And you do it. You have no idea how this stuff works. You have no idea how these pipelines work and what are actually the legal frameworks around it. So you're like, pen test, sure. It's if pen test, it means legal, it means someone must have paid.
B
Someone has a contract somewhere and there's.
C
Paperwork and it's a company and it's a contract, therefore it's legal. That's how they see it, literally. So they basically either go and approach people or steer people into that direction during job interviews. They say, yeah, you want to come work for us? No problem. Do this challenge and come back to us with results. If you do it, then we know you're actually good at it and we hire you and we will give you more. If not, they have gone the free pen test from that person and the targets or challenges that they give to people. It's never like source code, repository or company made.
B
Here's the goat. Seriously vulnerable web server. Why don't you go and find three new vulnerabilities in it and then come back? It's more like, here's a Sunoco headquarters that we happen to think is holding interesting information. Bring us the CFO's mail spool. I'm guessing it's more along the. Yeah.
C
So they are not shy of exposing themselves in this way, but because they have probably learned that their audience, the age group and the skill level group that they are targeting this way have no idea about how the actual legal framework around it works and how serious it can be and how bad the consequences can be. It just works for them and they keep doing it. And that's how they domestically and internationally, like in neighbor countries, they reach out to people and outsource their work. If it works well, they have got a free web shell, they have got a free access. If not, they have not lost anything and they have not paid anyone anything. It's a free internship. Apt work I would call it.
B
I guess that there's also. If they do it locally and they get someone to do a test for them, if that person gets caught now the government has leverage to give them. You're screwed for ever getting a real job. But if you wanted to join the military, we've got a military intelligence cyber berth that you could take and it's your only option now because you've screwed up your entire life.
C
That's a whole different can of worm. I would rather not open in this unless we're going to have it dedicated because it's a very sad and long topic on its own of how they actually force people to stay working with them domestically. It's. It's sad because it has literally costed people lives. It has costed people going into prison, screwing up their families and whatnot. I have like more than a dozen cases that they reached out personally to me for help and like to figure out what the hell they have been through and how to dig out of this. So it's very close for me as well to see how it's happening. What's.
A
What's the thing that you found most interesting about Kitten Busters? Like what surprised you? Did anything surprise you about what you learned about Charming Kitten?
C
They turned out a little bit more organized than I thought they would be and a little bit larger operationally than I thought it would be. That was. You could reflect that in like the number of buildings. Like they have a whole dedicated team of translators, like I think a dozen or so, like a whole section. And if you have 10 dedicated full time translators sitting at some building, it can be extrapolated to ChatGPT. So yeah, maybe, but it should be extrapolated to tell you what's the actually the throughput of the other teams that you need 10 full time translators at home to do the job, whether it's for PR or whether it's actually to digest the intelligence. That part was I think the most interesting for me. And also the clustering of who is who. That was I think also super interesting that we actually learned through this leak that they are the people behind some other groups that we thought were isolated and separate cases. The other significant thing that we mentioned is their willingness to an investment and actually working in the domain of mixing kinetic attacks with cyber. And they have literally prototyped like explosive UAVs as part of this like package that they drew delivered to cyber. So they gather intelligence to target people and then they also offer a solution to actually execute the operation and do the terror attacks, which was that.
A
Well, I was fascinated by that as well. And I wasn't quite sure what to make about it. In terms is it just someone who in that organization is just super keen and says yes, we can do that because.
C
It came. I think the way to put it is that it's not fair to mix it exactly with their hacker group. But that hacker group turned out to be a tightly integrated part of the counterintelligence unit. 40 I think it's coming from the report that's under IRGC intelligence. So that specific unit has like a hacker arm which is the kitten buster, but the same people involved with managing a top level. This kitten buster, this charming kitten group. Sorry for mixing up names. So the same high level or ranked people in the organization that are running this group, they are also in charge of the managing, presenting and demonstrating capabilities for kinetic actions which was mentioned in some of the leaked documents that they actually profiled people in Turkey, Israeli citizens in Turkey and other places to actually go and target them and physically like kill them. That operation went south because they were arrested and the whole operation was busted basically. But also they also try to present this capability as showing a mean of being able to deliver pinpoint precision targeting within Israel by use of these drones that they have demonstrated nothing like, I guess as advanced or as capable as shy drones, probably on a smaller side like quadcopter scale. And that's pretty revealing as well. And I don't think there is any similar case out there openly at least that links so closely and so vividly internal documentations of a cyber threat actor also mixing with, delivering and demonstrating kinetic actions capabilities. We have seen before in the leaks that they were boasting or theorizing about how to Target a gas station or fuel pumps and whatnot in like muddy water leaks and a couple of other groups that were docs before there were documents that they were just more or less hallucinating about how to pull off this operation. But it was more just like someone sitting behind the disk assuming that it's that simple, that they're going to do it. But this is the first time that they have actually presented like a video demonstration of uas.
B
It's a credible threat is what you're saying. It's not a bunch of guys going like and then we'll plant a bomb and like don't like no one knows anything about it. This isn't. Yeah.
C
And also I think it was one of your recent podcasts I was listening to yesterday that you also mentioned that new opportunity pops up and they have enough talent and a decent organization workflow, organizational workflow in place that they can actually live, go live on that specific demand and target and use it in the field like this targeting that the AWS report mentioned. They were not something that they have probably pre positioned. They noticed the opportunity, they had enough people and talent to launch the operation and forwarded the intel to the like osis and they did the targeting on the ship. So that's a live operation going on, which is interesting and I think it's significant.
A
Just for people who haven't heard, AWS reported that they I think collected AIs automatic identification system, which is a shipborne situational awareness platform and they use that to identify a particular vendor vessel. And then I think they passed it to the Houthis who then launched a missile which didn't go anywhere and didn't destroy the vessel.
C
But case point again on this thing that I mentioned that they learn and repurpose what comes at them. Iranians were literally targeted by the very same system by I think an affiliated connection with laptop group that they outed and exposed all their like oil shipping fleet. That was pretty much the textbook. The same story that they broke into the platform, an Iranian platform that sells the solution to the government and it's deployed on all the ships. They use that to track live location and identify all of them. And the rest is in their telegram channel we can see. But this is again a literal copy of the similar operation that they have been a target of. Then they oh there is this way of tracking things too. Let's go and use it against them ourselves. So that was an interesting thing that I thought it's worth mentioning as well.
B
Right.
A
Well Hamid, that's been a fascinating, if somewhat grim discussion. But, like, I've really learned a lot. So thanks very much for making the time to come on between two three nodes. Hamid Keshvi, CEO and founder of Doxcel. Thanks very much.
C
Thank you very much for having me. It was a pleasure talking to you guys.
Risky Bulletin: "Between Three Nerds: The Evolution of Iranian Cyber Espionage"
Date: December 15, 2025
Host: Tom Uran (A), with The Gruk (B)
Guest: Hamid Kashvi (C), CEO and founder of DarkCell
Topic: The impact of the "Kitten Buster" leaks on Iranian cyber espionage, with deep insights into the evolution, structure, and tactics of Iranian APT groups, especially "Charming Kitten."
This episode dives into the recent "Kitten Buster" leaks, which exposed details about Iran’s Charming Kitten (aka APT 40, among other aliases), a group connected to the Revolutionary Guard (IRGC). Tom, The Gruk, and Hamid Kashvi unpack not only the leaks but also the broader evolution of Iran’s cyber ecosystem—how state attitudes, technical proficiency, community dynamics, and operational tactics have shifted over decades.
"I know individuals that have literally got rewarded... solely based on the fact that they have made a big splash in media and they literally go, hey look, I've been doing some awesome work and I'm a big deal, so give me more of that." (C, 02:17)
"Counterintelligence brands. They go medieval... they arrest people, they interrogate people, they turn things upside down." (C, 04:15)
"People would actually put it in their LinkedIn profile that we are doing this kind of work. I'm not joking." (C, 03:44)
"They literally forced pretty much all security forums, all open neutral gatherings... to dissolve and disappear and close, mostly out of the fear of being outed openly and unwillingly." (C, 07:23)
Comparison With North Korea:
"There is a growth... where they actually try to focus on technical sites that matter operationally, not just looking fancy or over engineering things." (C, 14:37)
Iranian APTs and 0-days:
"We have never seen, not that I know of, a case where an Iranian attributed threat actor group go pop, I don't know, firewall appliances... at scale." (C, 17:19)
"There was no systematic way of growing hackers... you need a factory. You need to build the pipeline of producing talent." (C, 22:13)
Learning From Adversaries:
"They have also learned and have made a system around getting hacked, finding samples, having people at it... to study how it works... and sling it back at where it came from." (C, 25:51)
Paranoia and Secrecy:
Recruitment Practices:
Young, Naive Recruits:
"You’re like, pen test, sure. If it's a pen test, it means legal... So they... steer people into that direction during job interviews.... If you do it, then we know you're actually good at it and we hire you." (C, 39:52)
"They turned out a little bit more organized than I thought they would be... you can reflect that in... the number of buildings. They have a whole dedicated team of translators..." (C, 42:59)
"[They] have literally prototyped... explosive UAVs as part of this... package that they drew delivered to cyber." (C, 44:09)
"They learn and repurpose what comes at them... translate those samples into incidents, into information, into knowledge, into operational capability." (C, 49:03)
"Whenever... their name appears up there in reward for justice or sanction list... they have literally got rewarded and have been promoted and have been securing extra budgets..." (C, 02:17)
"People would actually put it in their LinkedIn profile that we are doing this kind of work. I'm not joking." (C, 03:44)
"You need a factory. You need to build the pipeline of producing talent." (C, 22:13)
"They have... made a system around getting hacked, finding samples... to study how it works... and repurpose it and sling it back at where it came from." (C, 25:51)
"They gather intelligence to target people and then they also offer a solution to actually execute the operation and do the terror attacks..." (C, 44:09)
"Most compromises are caught by someone going, huh, that's funny..." (B, 29:40)
"If you're like 20 years old and this is your first opportunity, you buy it. Oh, yeah." (B, 39:35)
This episode is a comprehensive, insider’s view of Iran’s evolving cyber ecosystem—valuable for both technical audiences and those tracking cyber power geopolitics.