Pro-Iran hackers threaten ‘proportionate response’ if authorities disrupt dark-web sale of alleged Lockheed Martin data
The pro-Iran hacking group that claimed to have stolen a tranche of sensitive materials from Lockheed Martin and posted it for sale in a Russian- and English-language dark web marketplace threatened today that “any government intervention, regardless of its nature, will be met with a proportionate response.”
APT IRAN also declared “we have long-term plans for Lockheed” while claiming that a data release could cause “irreparable damage” to the company.
On March 23, APT IRAN originally demanded “about $400 million” from the United States — “the cost of building four F-35 fighters” — in ransom for 375 terabytes of sensitive information “including technical documentation from active military projects, confidential contracts, high-level personnel information and sensitive administrative emails.” The price has since gone up.
APT IRAN, which is closely linked to CyberAv3ngers and has previously focused on critical infrastructure targets, detailed at the beginning of the war an attack aimed at manipulating agricultural sector control systems in an incident the Jordanian government said was intended to destroy a strategic wheat stockpile. The group also claimed to have breached Jordan’s Bank al Etihad as well as “the management systems of the solar project in the Aqaba Special Economic Zone.”
CyberAv3ngers is an Iranian cyber actor affiliated with the Islamic Revolutionary Guard Corps that has claimed multiple critical infrastructure attacks in the past several years, primarily against the energy and water sectors in the United Staes, Israel and elsewhere. A Telegram channel under the group’s name was created last week, and in Sunday and Monday posts the group claimed that it had hacked warning sirens: “It is better for the residents of Israel to leave now … because the alarm will not sound in the next attacks.”
APT IRAN announced Friday a collaboration with CyberAve3ngers and Handala, the group behind this month’s massive wiper attack against medical technology company Stryker and the claimed hackers of FBI Director Kash Patel’s personal email, to inflict “irreparable damages” on U.S. water systems if the United States doesn’t “refrain from threatening the water infrastructure of Iran.”
When they first announced their breach claim, APT IRAN described the allegedly stolen Lockheed Martin data as “technical drawings and source codes” and “architectural documents for future missile defense systems,” along with internal emails from research teams and other unnamed items. APT IRAN also posted its statement in Chinese and Russian and claimed that a data sample to enforce their claim would be “coming soon.”
On March 22, the group released an email purported to be from a senior official at the company, along with a video showing access to the alleged inbox.
“We are currently receiving numerous requests from China, Russia, and Arab countries to sell this information to them, and some of them are even willing to pay for sample data, which is great,” APT IRAN said in a Telegram post the following day. “The interesting thing is that Trump’s allies are looking to buy this information from us at a very high price.”
Lockheed Martin said it was aware of the claim and has “policies and procedures in place to mitigate cyber threats to our business,” adding that the company remains “confident in the integrity of our robust, multilayered information systems and data security.”
After the 48-hour deadline set by the alleged hackers had passed without payment from the defense giant, APT IRAN announced March 26 that the price had jumped to $600 million and claimed it could go as high as $1 billion.
In a Q&A posted to their Telegram channel, APT IRAN claimed that they shared Lockheed data with the IRGC for free, “but this information is not only going to be available to the Iranians. We have many customers in China and Russia.” The hackers added that $600 million from Lockheed Martin only “might be able to provide this guarantee so that the information will only be in Iran’s hands and not sold to China, Russia, etc.”
Threat Market, a dark web marketplace that posts in Russian and English, acknowledged in an English-language post March 25 on their Telegram channel that APT IRAN “asked us to provide the necessary infrastructure to sell Lockheed Martin information,” adding that “our old friends have been asked for help and we are helping them.” Threat Market’s post claimed that “the volume of data extracted from Lockheed is very high” and “we were lost in a huge mountain of data.”
“The APT IRAN group asked for direct access to our admin panel and we gave them this access,” Threat Market added. “We will also put this money into the mixer and separate our percentage from the sales and mixers. Apparently this group intends to crush Lockheed and we will help this group too.”
On Sunday, Threat Market released a screenshot of an .onion link showing categorized subject buckets under the heading “Lockheed Martin.”
“All information stored in the cloud will be transferred, and new details will be added over time,” the post said in Russian. “Buyers can access detailed information about the purchase using the link below.”
Later in the day, they released a two-minute video hovering over the categories to reveal how many files were allegedly in each bucket. In English, Threat Market declared the “total data value” to be $374,821,400, and the “exclusive buyout price” to be $598,500,000.
APT IRAN carried those posts, and also posted screenshots of what they said were source codes from the alleged breach.
“FBI efforts to identify and block operational infrastructure have so far been unsuccessful,” the group said today in its warning against government intervention. “Constantly changing communication routes has eliminated the possibility of disruption.”
Handala, which vowed “the destruction of your infrastructure” shortly after the first U.S.-Israeli strikes on Iranian targets, claimed in a Wednesday post on Telegram that it had also targeted Lockheed Martin employees.
Handala issued a 48-hour response time for the “new phase of Operation Lockheed Martin,” claiming that they had “the complete data of 28 senior engineers based in the occupied territories and involved in military projects” including names, home addresses and service bases. They released a list of names and locations as well as some passport images.
“In recent hours, we have established contact with some of them to demonstrate just how fragile digital barriers can be,” Handala continued. “From conversations about their daily interests to ordinary details of their lives, all was done to show that ‘privacy’ is merely a word in a book, not a reality.”
They posted an image of text message, obscuring the phone number except for the +972 Israel country code, in which the recipient was told that their “credentials as a Senior Engineer at Lockheed Martin have just been broadcast on Iranian television.”
“You have 48 hours to return home, after that, keep your eyes on the sky,” the message warned.