{ "id": "8addcf6d-44e6-4c46-8573-768ebf8389fb", "created_at": "2026-04-06T00:22:20.919045Z", "updated_at": "2026-04-10T03:33:07.442524Z", "deleted_at": null, "sha1_hash": "fd6204edeee5cb503be68839aa397860168c7470", "title": "Hacking (Back) and Influence Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1080004, "plain_text": "Hacking (Back) and Influence Operations\r\nBy x0rz\r\nPublished: 2019-04-19 · Archived: 2026-04-05 16:47:42 UTC\r\nThe new convergence of disinformation tactics and CNE in the Middle East\r\nWe all are collateral victims of very famous information operations, also known as influence operations. In the\r\ncyber realm they take full power: stealing information (via hacking or other means) is already a full time job, and\r\ndisseminating that information through the press or social networks to fit a narrative is generally the easy part.\r\nFor example the Shadow Brokers leaks could be categorized as an IO (Information Operation), disrupting the\r\nNSA and the US intelligence agencies while making them appear weak and evil-minded (see the WannaCry\r\naftermath and how the NSA has been held accountable for it). And it’s not the first time leaking is related to\r\nhacking: Guccifer 2.0 was an IO as well, now widely acknowledged to be part of a Russian Intelligence\r\ndisinformation campaign.\r\nThere are plenty other examples of these “hack \u0026 publish” operations, such as the Macron Leaks, this time\r\nreleased through Wikileaks. It was later suspected that Russia was involved.\r\nHacking, bots, media amplification, disinformation: the new convergence of disinformation tactics and\r\nCNE\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 1 of 8\n\nSteps to a “hack \u0026 publish” information operation\r\nAccording to the US doctrine:\r\nThe Secretary of Defense characterizes IO (Information Operations) as the integrated employment,\r\nduring military operations, of information-related capabilities in concert with other lines of operation to\r\ninfluence, disrupt, corrupt, or usurp the decision making of adversaries and potential adversaries\r\nwhile protecting our own.\r\nSource: Joint Publication 3–13\r\nBut would you believe other countries are doing the exact same thing?\r\nOperation Lannister\r\nOn March 18th 2019 I was contacted by a mysterious Mr_L4nnist3r, brand new Twitter account, that explicitly\r\nwanted to leak information regarding APT34, a hacking group believed to be originating from the MOIS, the\r\nMinistry of Intelligence of Iran also known as VAJA (ایران یِاسالمِ یِجمهورُ طالعاتّ\r\nَرِت ِا\r\nوزاِ Vezarat-e Ettela’at\r\nJomhuri-ye Eslami-ye Iran). This Mr_L4nnist3r said he was a former developer for APT34, he wanted money but\r\nmost of all he seemingly wanted to leak the data, even for free. Odd, but why not?\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 2 of 8\n\nMr_L4nnist3r contacting me\r\nThe files contain screenshots of the tools used, a target list and an archive with the BONDUPDATER malware\r\nsource code (a Node.JS server acting as the C2 and the Powershell payload). At this point it is clear that the files\r\nare genuine, coming from the APT34 hacking team, and most likely from operators or at least some sort of\r\ninternal infrastructure (similar to what the Shadow Brokers published). More technical details can be found on\r\nMisterch0c’s blog.\r\nNow why would a former developer working for the Iranian government would want to publish such documents?\r\nHe was apparently selling the data a few days later on some hacking forum, but somehow never mentioned a\r\nprice to me, even if he said he wanted money. Intriguing. Also Mr_L4nnist3r claimed to be responsible for\r\nDNSpionage, a cyberattack campaign attributed to Iran.\r\nPress enter or click to view image in full size\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 3 of 8\n\nMrL4nnist3r forum post trying to sell its documents\r\nThe files are clearly related to hacking activities, mentioning internal servers of targets, webshell URLs and such.\r\nOnly what a threat actor could harvest. Which means that either Mr_L4nnist3r is a former operator from APT34,\r\nor that APT34 (the MOIS) has been breached by a third party. This is also known as fourth-party collection\r\n(see this whitepaper by Juan Andres Guerrero-Saade \u0026 Costin Raiu):\r\nFourth-party collection involves interception of a foreign intelligence service’s ‘computer network\r\nexploitation’ (CNE) activity in a variety of possible configurations. Given the nature of Agency-A as a\r\ncyber-capable SIGINT entity, two modes of fourth-party collection are available to it: passive and\r\nactive. […]\r\nWhy Mr Lannister probably isn’t from APT34\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 4 of 8\n\nI personally believe this leak is being orchestrated by an outside party. He claimed to have been employed because\r\nof his “cyber knowledge”, but wasn’t aware of the Shadow Brokers when I mentioned it, which is really odd for\r\nsomeone apparently doing the same thing.\r\nGet x0rz’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWhen confronted about his motivations, he was pretty vague and only wished to publish in order to “fuck the\r\nMOIS”. Well, that’s not really a strong stance for someone allegedly risking its life in Iran, you would at least be a\r\nlittle more passionate about your goal here. If you’re ready to die or get thrown into jail for a cause, you would at\r\nleast write a manifesto or be a little bit more convincing than “fuck the government”. If he was a former APT34\r\nmember, the MOIS would know his name and they have the capability to execute people outside their territory, he\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 5 of 8\n\nwouldn’t be safe anywhere. Yet, Mr_L4nnist3r is available for a chat on Twitter and Jabber like nothing could\r\nhappen to him. This story is just implausible.\r\nWhistleblower ≠ third-party leaker\r\nAlso, the documents leaked are relatively scarce (meticulously selected?), I believe a developer or operator from\r\nAPT34 would have accessed much more valuable information. Why not leaking the whole infrastructure? Why\r\ndropping documents without any context to it? Where are all the fun details? We’ve seen the Project Raven\r\ninvestigation uncovering the hacking efforts of UAE and what a former operator/analyst could describe. From the\r\nprocess of targeting people and how an operation is carried away down to the physical description of the offices.\r\nThis is what is missing here to make it an authentic “internal” whistleblower. And why I don’t believe this story\r\n— as it is being fed to the media.\r\nPress enter or click to view image in full size\r\nMiddle East Battle Lines (source: European Council on Foreign Relations)\r\nAttribution\r\nWell, who would want to hurt Iranian offensive capabilities the most? Probably a lot of countries, Israel and the\r\nUS at the top. Given the regional landscape and the current state of affairs, its neighboring countries are also good\r\ncandidates. APT34 being particularly active in the Middle East, where it is reported to be targeting Middle Eastern\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 6 of 8\n\ngovernmental agencies. This could very well be a counter-operation to the Iranian CNE efforts from one of its\r\nretaliating victims. Is this when Hack Back meets Information Warfare?\r\nPress enter or click to view image in full size\r\nTelegram group “Lab Dookhtegan” (origin of the leak) with political content against the Iranian\r\nMinistry of Intelligence\r\nConsidering the current media attention towards Saudi Arabia (notably the use of NSO hacking products in the\r\nKhashoggi case), it would make sense to think they could have done something to 1) shift media coverage against\r\nIranian hacking activities and 2) disrupt current APT34 operations known to target Saudi Arabia and its regional\r\nallies. But then again, who knows?\r\nOperation assessment\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 7 of 8\n\nSo far, this doesn’t appear to be as damaging to what the Shadow Brokers has done but all things considered I’m\r\npretty sure it succeeded in disrupting the CNE efforts of the Iranian intelligence services. Shifting the media\r\nattention to Iran? Not there yet, very few documents in the dataset, and journalistically not that interesting to\r\ncover. Although ZDnet and others covered the leak :\r\nBut Catalin Cimpanu correctly warns the reader :\r\nIn our Twitter conversation, the leaker claimed to have worked on the group’s DNSpionage campaign,\r\nbut this should be taken with a grain of salt, as the leaker could very well be a member of a foreign\r\nintelligence agency trying to hide their real identity while giving more credence to the authenticity of\r\nIran’s hacking tools and operations.\r\nInterestingly, our gut feelings tell us there’s something fishy going on with the leaker, something simply doesn’t\r\nadd up.\r\nI think there’s something missing for that leak to be originating from Iran, especially if the motive is political. Of\r\ncourse all of this is still a mystery and will probably stay that way. This is why these information operations are\r\ndamn effective and generally hard to formally trace : plausible deniability and the lack of available information to\r\ndebunk a story.\r\nDisinformation\r\nThis may seem a bit counterintuitive but this is disinformation, even if the documents are genuine. I couldn’t\r\nphrase it more accurately than the grugq :\r\nWe are only being served one side of the story, which happen to benefit one side only.\r\nSource: https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nhttps://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933" ], "report_names": [ "hacking-back-and-influence-operations-85cd52c1e933" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434940, "ts_updated_at": 1775791987, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd6204edeee5cb503be68839aa397860168c7470.pdf", "text": "https://archive.orkl.eu/fd6204edeee5cb503be68839aa397860168c7470.txt", "img": "https://archive.orkl.eu/fd6204edeee5cb503be68839aa397860168c7470.jpg" } }