The Iranian Ministry of Communications and Information Technology shared the results of their investigation via the Iranian CERT (certcc.ir) which has announced the details of the hack in this PDF report. All of the websites in question, which most famously included ArmanDaily.ir, were hosted on the same platform, a Microsoft IIS webserver running ASP.net.
Most of the thirty hacked websites were insignificant as far as global traffic is concerned. But several are quite popular. We evaluated each site listed by CERTCC.ir by looking up its Alexa ranking. Alexa tracks the popularity of all websites on the Internet. Three of the sites are among the 100,000 most popular websites on the Internet.
These rankings would put the online leadership for the top news sites listed as similar to a mid-sized American newspaper. For example, the Fort Worth Star-Telegram ranks 31,375, while the Springfield, Illinois State Journal-Register is 84,882. (For more examples, the Boston Globe is 4,656, while the New York Times is #111.)
Hacked Sites not listed by Alexa among the top ten million sites on the Internet included: Aminehamee.ir, armanmeli.ir, Baharesalamat.ir, bighanooonline.ir, hadafeconomic.ir, kaenta.ir, naghshdaily.ir, niloofareabi.ir, sayehnews.com, setarezobh.ir, shahresabzeneyriz.ir.
CERTCC.ir’s report notes that the primary explanation of the attack is that all of the attacked news sites have “the default user name and password of the backup company” and a “high-level” gmail.com email account with the same username and password had permissions to all sites.
Although the official Islamic Republic News Agency says the source of the attack was “the United Kingdom and the United States”, that accusation is not entirely clear after reviewing the report from the CERT. The IP address 126.96.36.199 is listed by the Iranian CERT as being a UK based company using AS47453. Several sources, including Iranian site fa.alalam.ir, point out that this is actually a Bulgarian IP address. AS47453 belongs to “itservice.gb-net” with support details listed in Pleven, Bulgaria.
|188.8.131.52 – mislabeled in the original CERTCC.ir report|
This error of IP address does seem to have been human error, rather than deception, and the CERT has released an updated version of the Iranian news site hacking report which can be found here, showing the corrected information.
|The Corrected version of the report … (created Feb 12 0408AM)|
The CERT report is rather uncomplimentary of the hackers, mentioning that there seem to be several clumsy failed reports to dump a list of userids and passwords from the Content Management System database via SQL Injection attacks, as well as several other automated attacks. In the end, however, the measure of a hacker is in many ways SUCCESS, and it does seem that the objective, shaming the Ayatollah by declaring his death on the eve of the Islamic Revolution holiday, was achieved.
While a source IP address cannot serve exclusively to provide attack attribution, Newsweek reports that on the day the attack began (Thursday, February 8, 2018), that Ayatollah Ali Khamenei gave a speech to commanders of the Iranian Air Force in which he claimed that the United States had created the Islamic State militant group and that the USA is responsible for all the death and destruction ISIS has caused. That could certainly serve as a motive for certain actors, although the holiday itself, called by American politicians “Death to America Day” included as usual occasional American, Israeli, and British flags burning, as well as several instances of Donald Trump efigees being burned, overall the protests seemed more timid than in the past.
This is a Security Bloggers Network syndicated blog post authored by Gary Warner, UAB / PhishMe. Read the original post at: CyberCrime & Doing Time