Sunday, April 25, 2010

Iranian "Sun-Army" attacks NASA and JDA

What does NASA, the US space agency, have in common with the Jerusalem Development Authority of the Israeli government? They've both been attacked this week by the new Iranian hacking group, "Sun-Army".

The Defacement authority, Zone-H.org reports that this group did their first reported hacks on February 17th, one more on February 27th, and then on February 23rd defaced:

maorm.larc.nasa.gov
pic.larc.nasa.gov
fabrication.larc.nasa.gov
ohcm.larc.nasa.gov
sw-eng.larc.nasa.gov
cmar.larc.nasa.gov
careertalk.larc.nasa.gov
oea.larc.nasa.gov
technologygateway.nasa.gov

www.zhemgang.gov.bt
www.jda.gov.il



Their earlier defacements accuse "traitors to the Islamic Republic of Iran" and quotes from the Quran - "Sura Araf verse 179"

That verse says, "And in the law of retaliation there is saving of life for you, O' people of understanding, so that you may guard yourselves against evil."

(These verse were teachings to prevent "tribal feuds" - prior to the Quran, when someone was killed, his family would seek vengeance by killing all of the murderers tribe that they could. This passage of the Quran teaches that retaliation should be one for one. The accused can seek limited vengeance, but once retaliation has been achieved, there should be no on-going feud. Lives are saved by limiting the retaliation.)

Here is their defacement of the Jerusalem Development Authority:



The current NASA defacement contained this English language text:

In The Name Of God

The Nasa organization which is funded by Usa and plays an important role not only in the most of scientific fields but also in many other projects like "Star Wars" which was aimed to weeken the former soviet union , now has come down to its knees toward
the scientific level of young iranians and iran , the birth place of Cyrus the great, who formed the biggest empire the world has ever seen.

the scientific apartaide which is imposed by Usa and it alies can never prevent us from progressing in international scene , special peaceful nuclear energy.

We Congratulate You On The Occasion Of Worlds Astronomical Day


The same message is repeated in Persian, with the following line added at the end:

که ایران و ایران زمین زنده باد /// سر افراز و جاوید و پاینده باد

I can't seem to translate that well with Google Translate it is rendered as:

Iran and the Iranian Live Earth / / / partition and the eternal and lasting head wind

(If you can provide a better translation, please let me know! gar at uab dot edu)



The more recent defacement points to the Sun-Army.com website, shown here:



The Sun-Army says on their website that they were created by inviting the leaders of many influential hacking groups to join forces under the new name to support Iran's security and the Quran. They claim the group was created on February 26, 2010.

Mehdy007 is a fairly regular visitor to the Iranian hacking site, Ashiyane Digital Security. One of his posts, from August 2009, shows him uploading links to a set of 55 hacking videos on a wide-range of hacking topics. On February 24th of this year he was sharing SQL Injection attack techniques with the group, one of which he demonstrated by hacking "sciencescotland.org"

Nitrojen26 also is a member at Ashiyane, and has in the past used the Yahoo email address "Nitrojen26@yahoo.com"

The.Mo3tafA, Nitrojen26, and BodyGuard all regularly show up on pages defaced under the name "Ashiyane Digital Security Team" along with Behrooz_Ice and Q7x, with this trademark logo:



MagicCoder is the relative newcomer to the group, though he has done some solo-hacking according to his Zone-H stats, and has his own logo as well:



He's a gmail user = magicc0d3r@gmail.com

PLUS is an unknown for me. Great hacker name, since its basically impossible to Google-search. He's been involved as a named party on a number of "team defacements" for Ashiyane, including ones that left this fairly recent tag:



On defacements that use that image, the message in Persian and English is:

Our belligerence is religious and does not own any borders, thus we are here as long as atheism and blasphemy exist. We do know that effrontery of blasphemy to Imam Khomeini is what that only you can do. This is just a warning to your governmental sites!


The list of members on those hacks is:
Behrooz_Ice -Q7x -Sha2ow -Virangar -Nitrojen26 -BodyGuard -tHe.Mo3tafA MagicCoder -0261 -Ali_Eagle -PLUS -Jok3r -System.Fehler
We Love Iran
Ashiyane Digital Security Team




The WHOIS registration information for Sun-Army.com lists the same email address as their defacements -- sun.army@asia.com -- as well as this address:

Sun Army
Sun Army (sun.army@asia.com)
Iranian Apartment. Azadi Sq. Tehran
Tehran
Zanjan,12365
IR
Tel. +009.2122532689

Domain servers in listed order:
ns4.mihanblog.com
ns3.mihanblog.com


The domain was registered by PublicDomainRegistry.com (DirectI Internet Solutions)

Those nameservers serve more than 700 other domains . . . mostly Iranian TLDs, ".ir"

Many of those domains are listed as attack pages, sucvh as "karrar.ir," which is described by Google SafeBrowsing as:

What happened when Google visited this site?

Of the 871 pages we tested on the site over the past 90 days, 37 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-25, and the last time suspicious content was found on this site was on 2010-04-22.

Malicious software includes 987 scripting exploit(s).

Malicious software is hosted on 4 domain(s), including link313m.persiangig.com/, link313m.blogfa.com/, bidel.ir.googlepages.com/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including link313m.blogfa.com/, boxeshia-sonni.mihanblog.com/.

This site was hosted on 1 network(s) including AS30176 (PRIORITYCOLO).


Following the links from that SafeBrowsing page find warning of malware, including malware being distributed via "sarzaminnews.mihanblog.com", "karrar.mihanblog.com", and "karrar.ir".

1 comment:

  1. Is Sun Army now operating as Rocket Kitten? I believe China's PLA has been sharing vulnerabilities such as trap doors with Iran.

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.