{ "id": "d9a07d90-5ac8-4148-ba32-a0a1dca82a98", "created_at": "2026-04-06T00:12:26.451068Z", "updated_at": "2026-04-10T03:37:08.50964Z", "deleted_at": null, "sha1_hash": "c5d12d852d5268b86fb5a37f97058b946bf6c940", "title": "Iridium cyberespionage gang behind Aussie parliament attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2876463, "plain_text": "Iridium cyberespionage gang behind Aussie parliament attacks\r\nBy Doug Olenick\r\nPublished: 2019-03-02 · Archived: 2026-04-05 18:57:23 UTC\r\nContent\r\nIranian actors that are possibly backed by segments of that nation’s government are likely behind an on-going\r\ncyberespionage campaign that most recently targeted the Australian Parliament.\r\nThe group named Iridium is the likely culprit, reported Resecurity in a recent report, which gave an extensive look\r\nat the gang, its targets and some of its past operations. The company did not directly tie Iridium to Iran, but laid\r\nout a the circumstantial evidence that may point in that direction.\r\nThe Australian attacks began on December 23, 2018, when two government agencies were penetrated resulting in\r\na two-stage attack taking place in January and February 2019.\r\nResecurity said the first stage was oriented toward Windows-based server-side environments with the second state\r\nof the attack happening in February 2019, leveraging targeted email compromise through a government Global\r\nAccess List. This list gave Resecurity one of its best clues to indicate Iridium had penetrated into the Australian\r\nsystem as the security firm found the list in a file confirmed as being used by Iridium.\r\n“It stands as evidence of a successful email compromise because a threat actor needs to have hacked into at least\r\none account on the Parliament server to have dumped this information. Once access has been gained and the\r\nnetwork intrusion has been conducted, IRIDIUM uses proprietary developed tradecraft and also web shells and\r\nback-connect backdoors that are available on the dark web and through public sources.,” the report stated.\r\nResecurity through its research was able to put together a dossier on Iridium. The gang acts on behalf of an\r\nintelligence agency focused on foreign politicians and whose multi-year campaign with spikes in activity just after\r\nanti-Iranian activity takes place on the world stage such as when the Iran nuclear deal was revoked by the U.S.\r\nAustralia is not a signatory of the deal, but late last year considered pulling its endorsement, or after an event\r\nmarking 70 years of friendship between Australia and Israel.\r\nGenerally, Iridium attacks sensitive government, diplomatic, and military resources in the countries comprising\r\nthe Five Eyes intelligence alliance, Australia, Canada, New Zealand, the U.K. and the United States.\r\nThe group itself is not just comprised of Iranians, but also includes Syrians, Lebanese, Palestinians and for hire\r\nblack hats. Their contributions can make final attribution difficult, Resecurity said.\r\nOther bits of evidence that point to Iran are that the tools, techniques and procedures associated with these attack\r\npatterns are almost identical to those of the Mabna Hackers and other actors having close ties with the Iranian\r\nRevolutionary Guard Corps, Resecurity said. Mabna is also believed to have conducted a massive strike last year\r\nagainst 320 universities in 22 countries.\r\nhttps://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/\r\nPage 1 of 4\n\nThe attacks were severe enough to warrant having the parliamentarians change their passwords, Resecurity said.\r\nDoug Olenick\r\nRelated\r\nDevSecOps Scanning Challenges \u0026 Tips\r\nBill BrennerOctober 26, 2021\r\nThere are many ways to do DevSecOps, and each organization — each security team, even — uses a different\r\napproach. Questions such as how many environments you have and the frequency of deployment of those\r\nenvironments are important in understanding how to integrate a security scanner into your DevSecOps machinery.\r\nThe ultimate goal is speed […]\r\nhttps://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/\r\nPage 2 of 4\n\nIt Should Be ‘Cybersecurity Culture Month’\r\nBill BrennerOctober 19, 2021\r\nIt’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a\r\nfew activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially\r\nculture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on\r\nBusiness Security Weekly.“If your security awareness program […]\r\nhttps://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/\r\nPage 3 of 4\n\nGet daily email updates\r\nSC Media's daily must-read of the most current and pressing daily news\r\nSource: https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attack\r\ns/\r\nhttps://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/" ], "report_names": [ "iridium-cyberespionage-gang-behind-aussie-parliament-attacks" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434346, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5d12d852d5268b86fb5a37f97058b946bf6c940.pdf", "text": "https://archive.orkl.eu/c5d12d852d5268b86fb5a37f97058b946bf6c940.txt", "img": "https://archive.orkl.eu/c5d12d852d5268b86fb5a37f97058b946bf6c940.jpg" } }