Major Iranian hackers unite, threaten ‘irreparable damages’ to U.S. water systems
A trio of Iranian hacking groups with a track record of critical-infrastructure breaches has vowed to inflict “irreparable damages” on the United States’ water infrastructure if water systems in Iran are threatened, one of the groups said today while announcing their alliance.
APT IRAN, which is closely linked to CyberAv3ngers and has previously focused on operational technology targets, detailed at the beginning of the war an attack aimed at manipulating agricultural sector control systems in an incident the Jordanian government said was intended to destroy a strategic wheat stockpile. The group also claimed to have breached Jordan’s Bank al Etihad as well as “the management systems of the solar project in the Aqaba Special Economic Zone.”
APT IRAN claims it recently stole 375 terabytes of sensitive information “including technical documentation from active military projects, confidential contracts, high-level personnel information and sensitive administrative emails” from Lockheed Martin, though it is unknown whether the defense giant has been breached. The group also recently claimed, without proof, that it was behind a deadly explosion at a Nebraska wood refining facility last July.
“It is hereby announced that the Handala and CyberAv3ngers groups are under our direct support and that necessary support will be provided to them,” APT IRAN said in a Telegram post today. “If the FBI prevents the activities of these groups, a challenge will be created within the United States that will deprive them of the opportunity to deal with these groups.”
Handala, the group behind this month’s massive wiper attack against medical technology company Stryker, announced “FBI Breach coming soon” in a Thursday Telegram post, adding that “the FBI shouldn’t have started a confrontation and conflict with us.” They subsequently published photos and documents that they said came from FBI Director Kash Patel’s personal email; the Justice Department told Reuters that the materials appeared to be authentic.
CyberAv3ngers is an Iranian cyber actor affiliated with the Islamic Revolutionary Guard Corps that has claimed multiple critical infrastructure attacks in the past several years, primarily against the energy and water sectors in the United Staes, Israel and elsewhere. A Telegram channel under the group’s name was created Wednesday.
“Previous experience has shown that this warning is testable and incidents have occurred in the past for the water infrastructure of the United States,” APT IRAN’s post continued. “Therefore, it is emphasized to refrain from threatening the water infrastructure of Iran.”
“If this warning is not heeded, irreparable damages will be inflicted on the other side,” it concluded.
APT IRAN also posted a running hourglass while referencing their Thursday post in which they said the $400 million they originally demanded for the alleged stolen Lockheed Martin data had jumped to $600 million and could go as high as $1 billion.
“This decision is in line with the full coverage of the advanced infrastructure currently being implemented to manage Threat Market’s big data,” the group said, posting an Onion link where they said “this massive dataset will be uploaded.” Threat Market, a Russian-language underground data site, acknowledged in English on their Telegram channel that APT IRAN “asked us to provide the necessary infrastructure to sell Lockheed Martin information,” adding that “our old friends have been asked for help and we are helping them.”
In a Q&A posted to their Telegram channel, APT IRAN claimed that they shared Lockheed data with the IRGC for free, “but this information is not only going to be available to the Iranians. We have many customers in China and Russia.” The hackers added that $600 million from Lockheed Martin only “might be able to provide this guarantee so that the information will only be in Iran’s hands and not sold to China, Russia, etc.”
Handala, which vowed “the destruction of your infrastructure” shortly after the first U.S.-Israeli strikes on Iranian targets, claimed in a Wednesday post on Telegram that it had also targeted Lockheed Martin employees.
Handala issued a 48-hour response time for the “new phase of Operation Lockheed Martin,” claiming that they had “the complete data of 28 senior engineers based in the occupied territories and involved in military projects” including names, home addresses and service bases. They released a list of names and locations as well as some passport images.
“In recent hours, we have established contact with some of them to demonstrate just how fragile digital barriers can be,” Handala continued. “From conversations about their daily interests to ordinary details of their lives, all was done to show that ‘privacy’ is merely a word in a book, not a reality.”
They posted an image of text message, obscuring the phone number except for the +972 Israel country code, in which the recipient was told that their “credentials as a Senior Engineer at Lockheed Martin have just been broadcast on Iranian television.”
“You have 48 hours to return home, after that, keep your eyes on the sky,” the message warned.