Cold Open
The following presentation is not suitable for young children. Listener discretion is advised…
On July 30th, 2013, an email arrived in Monica Witt’s inbox.
The 33-year-old American from El Paso, Texas was waiting by the computer inside her small Kabul apartment. It was all she could afford on the salary of an English language teacher in the capital of Afghanistan.
In the past few weeks, a suicide bomber had killed 16 people and wounded 40 across town at the Supreme Court building. Days later, eight Taliban commandos snuck into the country’s presidential palace with fake high-level security clearances and opened fire, killing three.
It was the everyday peril of living in a warzone. This email was Monica’s ticket out.
The email was from Marzieh Hashemi. Marzieh was born in New Orleans under the name Melanie Franklin, but after the Iranian Revolution in 1979, she converted to Islam and moved there.
Now, she was a documentary filmmaker. Monica had appeared in a couple of Marzieh’s documentaries, in which she criticized America. The FBI had warned Monica that Marzieh was probably trying to recruit her to spy for Iran, but Monica didn’t care. Marzieh was the closest thing Monica had to a real friend.
Monica opened the email.
MONICA ARE YOU THERE??? The name of the ambassador is Mr. Shehr Doost. His mobile is 009929 196xxxxx. Right now he is not in Dushanbe, but you are to call him at 7pm and then go and see him. When you call him on the phone just say that you are the one who is supposed to see him today for a visa and that’s it.”
Monica’s heart raced. This was it. She could barely focus as the hours passed until 7pm, when she made the call and set up the appointment.
Monica drew the curtains and spent a sleepless night in her apartment. The US government could easily be monitoring her emails. There could be FBI agents on the way to arrest her right now. Or maybe a CIA hit squad. She knew what her government was capable of.
Finally, morning arrived. Monica changed and took a taxi to the Iranian embassy in Kabul.
As she approached the entrance, she noticed a photographer snapping pictures. Was he taking photos of her? Shit. Did he work for the Iranians? The Americans? Someone else? The photographer noticed Monica’s glare and walked away.
Not a great start.
Monica was brought in to see the ambassador, and she began to tell her story.
Mr. Ambassador, I want to defect to Iran.
The ambassador said nothing. Monica knew that the Iranians weren’t sure if they could trust her. She could easily be a double agent sent to spy on Iran.
As I’m sure you know, I used to work for Air Force intelligence. I’m prepared to give up classified information, access to computer networks, and the identities of my former colleagues.
The ambassador still said nothing.
But most of all, I love your country. I’ve seen the atrocities America is capable of. Iran is righteous and it is my duty to serve her.
Finally, the ambassador smiled.
We’re grateful to have you.
The ambassador arranged for Monica to fly to Dubai, where that country’s ambassador from Iran would arrange Monica’s Iranian visa.
Monica was on the next available flight. When she arrived, she checked into a hotel. There was no word about her visa, but she wasn’t concerned. So, she waited.
Two weeks went by.
Was Iran getting cold feet? There was no going back. By renouncing her home country, Monica Witt had made herself a fugitive. Now, if Iran changed its mind, she’d have nowhere to go.
She decided not to leave her hotel room except for dire necessity. If she did, American spies could be watching. Plotting against her.
Even if they were, Marzieh was her only lifeline. So Monica kept emailing her. Desperate, Monica suggested that she could fly to Turkey and defect there. Or, she could go to Russia and pull an “Edward Snowden,” leaking everything she knew to the international media.
That sped things up. Not wanting to risk losing such a valuable intelligence asset, the Iranians agreed to bring Monica in.
On August 28, Monica wrote her final email to Marziah:
I’m signing off and heading out! Coming home! And then, she boarded a flight to Tehran.
As she stepped onto the plane, she knew that Monica Witt was gone. She’d already picked out a new name for herself: Fatemah Zarah.
With the information in her possession, she would help kick off a new era in Iran’s cyberwarfare program. And her former country, the United States, was at the top of the target list.
On this episode: American defectors, Islamic theocracies, patriotic hackers, online proxy wars, and Game of Thrones. I’m Keith Korneluk and you’re listening to Modem Mischief.
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Rocket Kitten. Aka Flying Kitten. Aka Charming Kitten. Aka…well, we’ll get to that.
Act One
On this show, we’ve covered state-sponsored hacking in many countries, like Russia, Israel, North Korea, Syria, and the United Arab Emirates. For almost all of those stories, we’ve relied on firsthand accounts of people who were involved.
That’s not the case with Iran. To date, nobody has stepped forward to describe how they hacked for the Iranian government, at least not to a Western news source. All we have to go on are technical reports by cybersecurity companies, and criminal indictments from the American Justice Department.
So, the lives and motivations of Iran’s hackers remain murky. This adds another layer of mystery to the already shrouded world of state-sponsored hacking.
But here’s what we do know.
Today’s Iran began in 1979, when Ayatollah Khomeini led a revolution to overthrow the American-supported shah, Reza Pahlavi. This made Khomeini the Supreme Leader of the state. Since then, Iran has been ruled by a series of Ayatollahs, the highest-ranking religious official in Shi’a Islam.
In other words, Iran has been a theocracy for more than 40 years, governed by its top religious official. While it does have the appearance of an Islamic Republic, in fact everyone from the rank of president down to the rank of restaurant inspector owes allegiance to the Supreme Leader.
In 1992, Iran became the second Middle Eastern country to get the Internet. It was a breakthrough, but it came with risk. Iran wanted the latest technology, to be connected to the world at large. Yet the Internet also allowed Iran’s citizens to experience alternate points of view.
That tension remains to this day.
As the 21st century began, Iran soon realized the need to defend itself against cyberattacks.
In 2005, Iran created a unit within the Islamic Revolutionary Guard Corps called the Iranian Cyber Army. This was a military hacking unit. In the early years, its attacks were relatively simple. It defaced websites in rival countries like Saudi Arabia, or it issued Denial of Service attacks against critics of the Ayatollah.
Things changed in 2009. That year, authoritarian president Mahmoud Ahmadinejad claimed victory in his re-election campaign against reformer Mir Hossein Mousavi, despite many irregularities. This led to the Green Movement, which demanded Ahmadinejad’s removal from power. Much of the movement was organized online.
Perhaps, the Ayatollah realized, allowing the Internet into Iran was a mistake.
The Ayatollah ordered the Iranian Cyber Army to track and hack Iranian human rights groups. At one point, the Iranian Cyber Army hacked Twitter to redirect visitors away from a Green Movement page and towards a pro-Ahmadinejad website.
Iran suppressed the Green Movement, but the episode was a wake up call.
And the following year, Iran would get another.
In 2010, Iran discovered that the United States and Israel had uploaded a virus to its Natanz nuclear power plant. The virus, called Stuxnet, first entered Natanz in 2007. It routinely sabotaged the site’s nuclear centrifuges, preventing Iran from developing nuclear material to make bombs. And if you’d like to learn more about Stuxnet, check out episode 9 of this show where we covered it in detail.
Iran was humiliated, but it learned its lesson. It was facing internal and external threats online. It needed to expand its cyberwarfare program. It needed to be able to mount offensive operations, like the Stuxnet virus.
But Iran didn’t expand the Iranian Cyber Army. Instead, it began contracting the work out to private cybersecurity companies
Why? Well, one year after the Ayatollah’s revolution in 1979, Iran fought a bloody war with Iraq that lasted nine years and cost 300,000 Iranian lives. For generations afterward, this made Iran reluctant to carry out military operations directly, instead relying on proxy groups. Hezbollah in Syria, the Badr Organization in Iraq, or the Houthi Rebels in Yemen.
Iran’s cyberwarfare strategy is similar. Instead of hacking with its military directly, it uses civilian hackers as proxies. This way, if the hackers are ever caught, Iran can deny its involvement. Even better, if one particular hacking team gets caught, the Iranian government can easily replace it with another.
Luckily for Iran, the country was already home to a community of so-called “patriotic hackers,” or, civilian hackers who take it upon themselves to hack their country’s enemies. Practically every country connected to the Internet has them.
One of the earliest hacking groups the Iranian government worked with was Rocket Kitten—although it wouldn’t be called that until 2014.
Before we go any further, it’s important to know that Rocket Kitten is just one of dozens of Iranian hacking groups that work with the Iranian government. Usually, these groups are made up of about 5 to 10 people. These hackers work during business hours in Tehran office buildings. Some are devout Muslims. Others chat openly about their drug use and fondness for pornography (any guesses which group Team Modem Mischief would be a part of…yeah)
Some hacking groups work with the Iranian Revolutionary Guard Corps. Others work with Iran’s Ministry of Intelligence. Most groups are assigned a mid-level military officer to coordinate its operations. Each group has many different names, depending on who’s talking about them. And most likely, there’s a lot of overlap between the groups.
So, singling out one of them as its own entity is nearly impossible. The Justice Department can’t do it, so what hope do three guys with a microphone have? Just kidding. Modem Mischief industries has hundreds of employees. No, thousands. I’m the king of the world!
SFX: Titanic theme for 2 seconds
The group called Rocket Kitten started in 2010, around the time the Stuxnet virus was discovered.
Rocket Kitten has had many names over the years. Advanced Persistent Threat Group 35. Flying Kitten. Charming Kitten. Ajax Security Team. Phosphorus. It’s possible some of these are different groups, but for simplicity’s sake, we’ll stick with “Rocket Kitten.”
Rocket Kitten began on Iranian hacker forums, with names like Ashiyane and Shabgard. There, a hacker named Cair3x emerged on the scene.
To this day, we don’t know any biographical details about Cair3x. Not even his birthday. But we do know that Cair3x was also a patriot. On his personal blog, he shared government propaganda, and he railed against foreigners who disparaged Islam and the Prophet Muhammad.
Cair3x enjoyed defacing websites—and bragging about it on hacker forums. Often, Cair3x defaced websites belonging to political organizations from Iran’s enemies, like the United States and Saudi Arabia. In one post, Cair3x wrote:
In late hours of Wednesday, June 24, 2012, we attacked anti-Iranian websites and defaced them by writing the words “We are young but we can” on their websites. This is so the enemies of this country know that the blood of our martyrs will never be in vain and they will always be remembered in the heart of gallant Iranians.
By 2013, Cair3x’s exploits had attracted over 230 followers. On forums, this unofficial group began calling itself “AjaxTM.”
This attracted the attention of the Islamic Revolutionary Guards Corps, and the Iranian Cyber Army. We don’t know how they first contacted Cair3x and his crew, or when they began working with them.
With the government’s guidance, Cair3x and a handful of hacker companions set up Pars Pardazesh Hafez Shiraz Ltd. On the surface, the small Iranian firm was a cybersecurity company, offering penetration testing, wireless hacking, and security training.
In fact, it was a front for AjaxTM’s new operations: cyberwarfare.
The group that would come to be known as Rocket Kitten would leave its old tactics behind. The last time Cair3x and his team defaced a website was in December 2013. After that, the group began focusing its efforts on spying.
One of the AjaxTM forum’s newer members went by the handle Wool3n.H4t. He was an expert in malware—malicious software that’s downloaded onto a target computer.
With Wool3n.H4t’s help, Cair3x went after his first target: the 2014 IEEE Aerospace Conference.
“IEEE” stands for “Institute of Electrical and Electronics Engineers.” Like the name suggests, it’s a national organization of engineers that, among other things, hosts annual conferences.
The Aerospace Conference is held every year at the Yellowstone Conference Center in Big Sky, Montana. There, aersospace experts, military personnel, and private defense contractors get together to publish their latest discoveries in the aerospace field.
In other words, people a lot smarter than us get together to figure out how to make airplanes and spaceships fly better.
To be fair, I have a degree in acting. Yes, I’m serious.
For Rocket Kitten, the IEEE Aerospace conference was a potential goldmine. Cair3x knew that everyone attending the conference potentially had access to top-secret information. So, Cair3x came up with a plan.
Wool3n.H4t’s set up a dummy website called aeroconf2014.org. Then, they sent out emails to public email addresses belonging to companies and organizations that would be attending the conference.
The site was loaded with malware. Their malware expert, Wool3n.H4t, opted to use a malware aptly named “Stealer.
Countries like the US, China, and Russia all have the latest in high-tech hacking tools and malware, which can cost millions of dollars. These can be built from scratch, or purchased from private companies.
Stealer, on the other hand, is an “off-the-shelf” program available on the dark web for about 150 bucks. It’s a basic data collection tool. If a target computer downloads Stealer, it can track a target’s internet use, harvest passwords, take screenshots, collect location information, and log keystrokes. Rocket Kitten downloaded Stealer and altered its code to serve its purposes.
Next, Wool3n.H4t sent out emails directing recipients to their dummy website. It looked like a page where they could register for the conference, but in fact it was laced with Stealer.
Not surprisingly, nobody was fooled.
The aerospace community complained to the IEEE. Since the dummy website hadn’t successfully hacked anyone, it wasn’t quite a criminal matter. Still, the IEEE wanted to get to the bottom of it. So, they reached out to the cybersecurity firm FireEye.
At the time, FireEye was a major player on the cybersecurity scene. With over 900 employees, it had offices all around the world. It had already studied many of the other Iranian hacking groups we mentioned earlier.
The call landed on the desk of Nart Villenueve, a FireEye researcher based in Toronto. He was a punk rock type with pointy sideburns, who lived in a basement apartment along with eight computers. Two years earlier, he’d made his name by exposing a hacker who tried to break into the Dalai Lama’s email system.
Villenueve and his team named the IEEE attack “Operation Saffron Rose,” and dug into the dummy website. They were quickly able to determine the email addresses of the individuals who had registered the domain names for aeroconf2014.org. Those email addresses were all registered to the AjaxTM forum page in Iran. The hackers hadn’t bothered covering their tracks.
Nart and his team found their way onto the Iranian hacker forums, where they discovered years’ worth of details on their website defacements. It was all so…amateurish.
But Nart also understood that the IEEE Aerospace hacking scheme was a shift in their tactics. What else was this hacking group up to?
Nart and his team scoured the Internet. They zeroed in on the username Wool3n.H4t Soon, they discovered that Wool3n.H4t had also been working on another project—one that was much more effective.
While Iran has had the Internet since 1992, it’s highly restricted. Every Iranian Internet Service Provider is required to include censorship tools that block access to websites the government deems unacceptable.
Nart’s team discovered that a modified version of the same hacking tool, Stealer, had been injected into these censorship tools. That meant that not only could the Iranian government block what its citizens could access online, it could also spy on them.
Nart and company published their findings in May 2014. Altogether, 77 Iranian activists had downloaded the malware. But again, given how restricted the Iranian Internet is, it was unlikely those activists would ever hear about the FireEye report.
But for Cair3x, Wool3n.H4t, and the other members of Ajax Security Team, the report was a bombshell. They knew their cover was blown. They could point fingers all they wanted, this would be the end of their working relationship with the Iranian military. If they were lucky, they might latch onto other projects in the future.
The FireEye report was also a call to action for the international cybersecurity community. Here was a new Advanced Persistent Threat group, based in Iran. Around the world, cybersecurity companies jumped at the chance to study this group and publish their findings.
In December 2014, the Israeli cybersecurity firm ClearSky tracked the same modified Stealer malware to a phishing campaign against Israeli academics. In their report, they named the group “Rocket Kitten.”
About that. The cybersecurity community often assigns animals to represent different countries’ cyberwarfare groups. Russian groups are “Bear,” Chinese groups are “Panda,” and so on.
Iran got “Kitten,” which pretty much tells you everything you need to know about how the cybersecurity community viewed them.
Months later, the American-Israeli cybersecurity firm CheckPoint published its own report about the hacking group. Its investigator, Shahar Tal, managed to hack into Rocket Kitten’s online database, which was called Oyun. Not only did it list details about nearly 2,000 hacks and phishing campaigns, it even included some Rocket Kitten members’ real names.
Wool3n.H4T was a fortysomething Iranian software engineer named Yaser Balaghi.
CheckPoint discovered Wool3n.H4t’s real name by combing through the Stealer malware’s code. The IP address used by the hacker Wool3n.H4T had also been used to register an AOL account with the username “yaserbalaghi.”
That’s right, Balaghi hadn’t even bothered giving himself a screen name to hide his identity.
With Balaghi’s name in hand, CheckPoint dug into Yaser Balaghi’s background. It quickly discovered a resume under that name, written in Farsi.
Yaser Balaghi’s resume described him as “Head of Security and Hacking” at a private company in Iran. He didn’t specify the company’s name, but he made sure to point out that his work was “legal and ethical.” He also detailed a phishing attack program he'd developed for an unspecified “cyber-organization.”
The guy was just trying to find a new job. But this resume was the strongest evidence yet that Iran was sponsoring hacking programs against its enemies.
“Rocket Kitten” was finally exposed. But it wasn’t dead yet. Not even close.
While the cybersecurity community continued chasing Rocket Kitten, the Iranian cyberwarfare program had already moved on to other targets. And the arrival of an American defector would kick things into high gear.
Act Two
In early January, 2015, Fatemah Zarah, aka Monica Witt, was watching herself in the mirror as she tied her blue hijab, and frowned. True, she was much faster at it than she used to be, but it would still take years to attain the practiced ease that a lifelong headscarf-wearer would have.
After saying her morning prayers and having a quick breakfast, Fatima picked up her laptop and briefcase and headed out of her Tehran apartment, which had been provided for her by Iran’s Revolutionary Guard Corps.
A car was waiting. Today was a big day, and she needed it to go well.
She got in, and the car took her through the streets of the Persian capital. Finally, it arrived at the offices of the Net Peygard Samavat Company. By all outward appearances, it was a software company.
Fatemah knew the truth. Net Peygard Samavat’s CEO, Hossein Parvar, and many of his employees, were actually members of a hacking group that was working directly for the Iranian government. It went by many names. They called themselves the Turk Black Hat. But in the west, it would come to be known as the second iteration of Rocket Kitten.
Fatemah got out of the car and headed inside, where she was brought into a conference room. There was Hossein, along with several of his top people.
Salam alaykum, Fatemah. This is Behzad, Mojtaba, and Mohamad.
Everyone took a seat.
I’ve prepared the target packages you asked for, Fatemah said in perfect Farsi. She opened her briefcase and passed out dossiers.
Obviously, any classified operation I was involved with during my time in the Air Force has most likely been discontinued since my defection. Instead, I gathered as much info as I could on my former colleagues. These are all counterintelligence officers working to thwart Iran’s goals.
Hossein and his employees leafed through the dossiers. Inside were the personal details of eight American spies, all people she had worked with during her time as an Air Force counterintelligence officer herself.
Since her defection, Fatemah had spent months painstakingly gathering as much information as she could on her former colleagues—all of them tools of American imperialism, she felt. In the end, she’d narrowed it down to eight high-value targets. She provided their social media profiles, email addresses, phone numbers, and other personal information—anything that could potentially be used to access their deepest secrets.
You’ve given us a lot to work with.
I’m sure you have some ultra-high tech hacking tools you can use to crack their accounts though, right?
The Iranian hackers shared a look. They weren’t keen on the idea of sharing their techniques with a westerner, even if she had defected to their country.
Something like that.
That was it? Fatemah needed this to work. Yes, she loved her new country. But Iran had spent a lot of money and resources bringing her here. She needed to hold up her end of the bargain.
The meeting ended shortly after. With the information Fatemah had given them, Rocket Kitten would launch a bold new strike in Iran’s cyberwar.
But first, some context. By early 2015, the international cybersecurity community was still chasing down the members of AjaxTM like Yaser Balaghi. They were the first iteration of Rocket Kitten.
Today, it’s unknown if AjaxTM is still part of Iran’s cyberwarfare program. But we do know that it’s activity has dropped sharply since the cybersecurity community unmasked it.
It’s likely, then, that the Islamic Revolutionary Guard Corps cut bait with AjaxTM and brought on a new hacker crew: Turk Black Hat Security Team.
Turk Black Hat’s origins are even more mysterious than AjaxTM’s, but we do know that it was also active in the Iranian hacking scene, particularly with website defacements.
Usually, its attacks were simple. After breaking into a website, Turk Black Hat would change the background to all black and then write a message in bright red and white letters:
This site hacked by TBH–Turk Black Hat. Remember TBH.
At some point after AjaxTM was exposed, the Iranian military contacted Turk Black Hat and brought it into its cyberwarfare program.
Turk Black Hat set up a front company called Net Peygard Samavat. Their mission was to gather electronic information from Iran’s enemies. Like other Iranian hacking groups, it was a small operation. It was less a streamlined military operation like you’d see in Russia or Israel, and more like a Silicon Valley startup. Net Peygard’s CEO, Hossein Parvar, often complained about how difficult it was to pay the bills, or to just find skilled Mac and Android programmers.
According to multiple cybersecurity companies, Net Peygard/Turk Black Hat inherited much of the same basic custom malware used by AjaxTM, like Stealer. It’s also possible that some members of AjaxTM joined Turk Black Hat.
In other words, it’s never been clear if AjaxTM and Turk Black Hat were two different groups, or the same group with different members at different times. That’s why some refer to both groups as Rocket Kitten. Others refer to AjaxTM as Rocket Kitten and use another name for Turk Black Hat: Charming Kitten. For simplicity’s sake, we’ll call everything Rocket Kitten. Plus, it’s cooler.
After their meeting with Fatemah Zarah, Hossein Parvar and three of his associates, Behzad Mesri, Mojtaba Masoumpour, and Mohamad Paryar, now had extensive information on eight counter-intelligence officers Fatemah Zarah worked with during her career as an Air Force investigator. To this day, we don’t know the names of any of these officers.
The hackers decided to try some good old-fashioned catfishing. Behzad Mesri set up an email account for a fictional woman named “Bella Wood,” which he used to create a Facebook account and friend request the counterintelligence officers.
At least one of them accepted the request. Then, as Bella Wood, Mesri emailed the officer a so-called “friendship card.” If clicked, it would open up a backdoor channel from the target computer onto an Iranian server.
The officer didn’t take the bait. Next, Mesri sent the officer a Facebook message offering “photos” of Bella Wood–but the officer would have to deactivate his anti-virus software.
Again, the counterintelligence officer didn’t take the bait.
The hackers persisted. In another cyberattack, the hackers made a Facebook account impersonating one of the officers. With that, they made friend requests to several of the other others, then tried to entice them to download more malware.
The hackers made similar feeble attempts, but ultimately didn’t successfully hack any of the either counterintelligence officers. But Turk Black Hat’s other operations were much more successful.
Like its predecessor group, Turk Black Hat/Rocket Kitten was tasked with carrying out a variety of tasks that fit within Iran’s cyberwarfare program.
The first came to be called “Operation Woolen Goldfish.” In it, the hackers created an elaborate fake website simply called “British News.” It claimed to be a legitimate news website, and the hackers actually copied and pasted real news stories from real news sources to make themselves appear legitimate. They even created dozens of fake employees, all with fake email addresses and social media profiles.
Of course, all of this was laced with malware.
Next, the hackers would reach out to journalists and academics, both within Iran and in foreign countries like Israel. They would encourage them to read articles and provide comments on them, or they would invite them to be a source of news stories. All of it fake.
This was also mostly harmless spear phishing, but it was still serious. In some cases, hackers would reach out to journalists and attempt to blackmail them by threatening to publish their nudes. One blackmail victim was Negin Shiraghaei, a news anchor for BBC Persian.
As an unofficial arm of the Islamic Revolutionary Guards Corps, Rocket Kitten also had an obligation to help out with so-called “matters of national security.” Here’s what that looked like:
In October 2015, Siamak Namazi was visiting Tehran. He’d been born there, but his family had emigrated to the United States in 1983, and Siamak had dual citizenship. Since then, Siamak earned a master’s degree from Rutgers and worked as a public policy scholar. After that, he went into business, consulting for energy companies that wanted to do business in Iran.
But according to the Iranian government, Siamak was a spy for the Americans. The Revolutionary Guards arrested him in Tehran, confiscated his passport, and charged him with espionage.
Within hours, Siamak was forced to give up the passwords to his Gmail and social media accounts. The Guards passed this along to Rocket Kitten, which began a massive spear phishing attack on everyone in Siamak’s address book.
Unlike previous spear phishing campaigns, this one worked. The hackers broke into email accounts for several scholars, U.S. State Department employees, and a well-respected journalist. In the last case, the hackers controlled the journalist’s email for two days, giving them plenty of time to comb through his correspondence with former U.S. secretaries of state, CIA directors, and other foreign ministers.
The following year, Rocket Kitten had its biggest success yet.
The Telegram messaging app is based in Berlin and has more than 100 million users, many of them in the Middle East. It’s been widely criticized for its lackluster security features, like using SMS messaging to authenticate user accounts.
All Rocket Kitten had to do was intercept a text message that contained an authentication attempt. With that authentication code, the hackers could then set up duplicate devices connected to that user’s account–essentially giving them access to everything. In this attack, they compromised a dozen accounts. With just those dozen accounts, the hackers were able to get the phone numbers for 15 million Iranian citizens–making it infinitely easier to track and monitor them.
So, by 2016, Rocket Kitten and its current members from the former Turk Black Hat Security Team, could claim multiple successes. But then, one member of the team would go rogue, threatening the whole operation.
July 23, 2017 was a Sunday, and HBO CEO Richard Plepler, late 50s, was in his sprawling mansion in Greenwich, Connecticut. He was on the phone with some of HBO’s lawyers, discussing the status of the Justice Department’s antitrust lawsuit against his parent company, Time Warner.
Time Warner was trying to close a $85.4 billion sale with the Dallas-based telecommunications giant AT&T. If the deal went through, it would give HBO’s content access to millions of new customers. But the justice department was claiming the deal violated antitrust laws.
Plepler needed to crush this lawsuit. He’d staked his entire career on this sale. What he didn’t need were any distractions.
But then, another call came into his phone. It was HBO’s head of IT. Calling on a Sunday. What now?
Let’s put a pin it this, folks. I need to take this call.
Plepler switched over to the IT head.
Mr. Plepler? We’ve been hacked.
She explained the situation. Someone had uploaded unaired episodes of HBO shows like Ballers and Room 104 online. But it was much worse than that. Yes, HBO had been hacked, but they didn’t know yet how much data the hackers had, or what they really wanted.
The lawsuit would have to wait. Plepler’s team quickly put together a call with top HBO executives to discuss their strategy. HBO needed to conduct a forensic investigation to figure out how this happened, and they also needed to make contact with the hacker. Plepler and his team decided to stay quiet until they knew more.
But a week later, on Monday, July 31st, another bombshell dropped.
This time, the hacker emailed several journalists. They linked to a dropbox that contained even more stolen information, including episodes of Curb Your Enthusiasm and Insecure. There were also scripts for unaired episodes of Game of Thrones, which was currently in the middle of its seventh season. Plus, there were thousands of internal company documents, including finance reports, confidential job offers, and more. Worst of all, the hackers claimed to have compromised top executives’ emails, including Plepler’s own contact list.
Plepler knew this could potentially be explosive. Three years earlier, the Sony hack had exposed Sony executives’ dirty laundry, and forced CEO Amy Pascal to resign.
At least this time the hacker had sent a ransom note. Or, a ransom video. It was simple: white text on a black background, with the Game of Thrones theme playing over it.
Greetings, HBO. I’m the one who hacked your system. You can call me “Mr. Smith.” I have over 1.5 terabytes of your data, including unaired episodes of Game of Thrones. I will release everything if you don’t pay up. Let’s say half a year’s salary.
We often launch two major operations in a year and our annual income is about 12–15 million dollars. We are serious enough to do our business, We don’t play with you so, you in return, don’t play with us. You only have 3 days to make a decision so decide wisely.
In other words, the hackers were asking for $6 million in Bitcoin.
Pepler was furious. He’d have to inform HBO’s employees, as well as the press. The timing couldn’t be worse. But right now, he had to decide: pay the ransom, or not?
Act Three
Weeks later, Richard Plepler and his team of lawyers and IT people strode into the offices of the US Attorney for the Southern District of New York.
These days, the man filling that office was just an Acting US Attorney: Joon H. Kim, early 50’s. Sure, maybe not the actual US Attorney, but still a career government lawyer with an extensive track record of prosecutions–the mafia, corrupt corporations, Turkish hackers, you name it. Plepler knew not to underestimate him.
I’m sure you’re aware that HBO has been hacked. We’ve been conducting our internal investigation, but we think it’s time to pass things on to you. I’ll let my people explain.
Kim listened as HBO’s IT people explained the situation–as best they could, anyway. They were still stumped as to how the hacker had gained access to HBO’s network. The hacker himself had claimed to use expensive zero-day exploits to do the job–these are flaws in systems unknown to developers, which can sell on the dark web for millions of dollars. Beyond that, HBO was in the dark.
Have you been in contact with the hacker?
Yes. They’re asking for 6 million in bitcoin. We offered them 250 grand in good faith to tell us how they hacked us, but so far they haven’t bitten.
As a policy, the FBI recommends against paying ransoms.
It’s not like we want to pay it! But not paying it could cost us even more.
I understand, Mr. Plepler. We’ll look into this.
In reality, there was no way Joon H. Kim wasn’t going to take this case. But where this case would end up would surprise him.
Kim had only been in office for a few months. But he’d spent years working for the US Attorney’s office. He knew how things worked.
His predecessor, US Attorney Preet Bahara, had been fired by President Donald Trump just two months into Trump’s term. The Southern District of New York had been considering multiple investigations into Trump and the Trump Organization, for everything from tax fraud to illegal foreign business deals. Trump had spent the weeks following his surprise electoral college victory calling Bahara, all in an attempt to pressure him into loyalty. When Bahara stopped returning his calls, Trump gave him the axe.
Now, Kim had the top job–on an acting basis. If he had any hope of keeping the job, he’d need to win cases–preferably high-profile ones that weren’t controversial. Cases didn’t get much bigger than the biggest show on premium cable.
Kim expected the HBO hack to be a software piracy case, for good reason. Two years earlier, four unaired episodes of Game of Thrones were illegally uploaded to pirate websites, and millions of users downloaded them.
In that case, HBO had only managed to sue a few people who downloaded the episodes. But now, a hacker was actually demanding ransom. That made it a federal crime.
After the meeting with Plepler, Kim and his team coordinated with the FBI to investigate the HBO hack.
Kim’s team started by analyzing the emails sent from the hacker to journalists and HBO executives. With the FBI’s help, they linked “Mr. Smith” to a hacker who went by the name “Skote Vashat.”
In Farsi, “Skote Vashat” means “Silence of Fear.” This gave the Justice Department its first clue: the HBO hacker was from Iran.
Months later, they had a name: Behzad Mesri, an Iranian national and member of Turk Black Hat.
Once again, we don’t know how exactly the FBI and the US Attorney’s office discovered Mesri’s alias, or his identity. That’s classified. The American government has access to an array of hacking tools that it can use to penetrate nearly every device or account in the world. It’s not hard to imagine that the Justice Department simply combed through HBO’s servers and tracked the breach, or just analyzed the messages sent by “Mr. Smith.” In any case, discovering Mr. Smith’s real name and online life only took a few months.
The discovery that the HBO hacker was from Iran was a game-changer. The Justice Department was aware of the Iranian government’s state-sponsored hacking, but an Iranian hacker trying to extort an American company was a first. Was Behzad Mesri working for the Iranian government, or was he just a lone wolf trying to make some money?
These questions would be answered in time. Joon H. Kim only had 300 days in office before he would be replaced, according to Justice Department policy about Acting US Attorneys. It was time to bring criminal charges.
Now that Kim and his team knew that the HBO hacker was Iranian, that complicated matters. There was no way Iran would send Behzad Mesri to the US to face prosecution. So, Kim had to make a choice.
If Kim’s indictment named Mesri, there was little chance Mesri would ever be punished. Most likely, the Iranian government would deny any wrongdoing. As long as Behzad Mesri stayed in Iran, the US could never arrest him.
On the other hand, if Kim kept the indictment sealed, there was a chance Behzad Mesri would travel abroad, without realizing there was a warrant for his arrest. Then the US could nab him.
But that could take years, even decades. What good would that do for Kim’s career?
So, in November 2017, just months after the HBO hack occurred, Joon H. Kim’s office formally indicted Behzad Mesri. It charged him with unauthorized access to computer systems, stealing proprietary data from those systems, and attempted extortion.
The indictment also included a photo of Behzad Mesri. In it, the 39-year-old hacker with a goatee and receding hairline is seen at a party with friends.
In the indictment, Kim couldn’t resist a little grandstanding:
Mesri now stands charged with federal crimes. And although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated -- not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property -- even those hiding behind keyboards in countries far away -- eventually, winter will come.”
The publication of Behzad Mesri’s name and his online alias was a feeding frenzy for the cybersecurity community.
By this point, the community was still figuring out exactly how this new Iranian threat actor called Rocket Kitten still worked. Now, here was an entirely new Iranian threat group to investigate.
Behzad Mesri’s online alias, Skote Vashat, proved to be the key to the whole thing. In late 2017, Israeli cybersecurity firm ClearSky published a report about Skote Vashat–and his associates.
ClearSky quickly discovered that the username Skote Vashat was also prominently featured on Iranian hacking forums–specifically, where the group Turk Black Hat liked to gather and crow about its successes.
It also noted that Skote Vashat and his associates used much of the same malware as the Iranian hacking group calling itself “Rocket Kitten.”
It was clear that the HBO hacker had deeper ties to Iran’s cyberwarfare program.
But Acting US Attorney Kim was out of time. Kim’s 300 day term ran out a few weeks after the indictment, and he was replaced by another interim US Attorney, Geoffrey Berman. Berman proved equally amenable to pursuing an investigation into the Iranian hackers.
Berman’s office continued the investigation into Skote Vashat and the other members of Turk Black Hat, aka Rocket Kitten. And this led them to an investigation into one Monica Witt, aka Fatemah Zarah.
After the members of Turk Black Hat attempted to spearphish the eight counterintelligence officers, the US military had been trying to figure out who was responsible. It had traced the cyberattacks to Iran–where Monica Witt aka Fatemah Zarah had recently defected.
It was too much of a coincidence. US Attorney Berman’s office coordinated with the US military and discovered that not only had Skote Vashat been involved with the HBO hack, he was also a member of the hacking team who tried to crack Monica Witt’s colleagues.
In February 2019, US Attorney Geoffrey Berman issued a second indictment. This one charged Fatemah Zarah, aka Monica Witt, for her participation in the spearphishing scheme.
The indictment also named Behzad Mesri, plus three other members of the team: Mojtaba Masoumpour, and Mohamad Paryar. Once again, Rocket Kitten’s cover had been blown.
But here’s the thing about state-sponsored cyberwarfare. It takes governments and companies months if not years to investigate cyber attacks before they can be certain enough to identify a culprit. This gives hackers plenty of time to evolve their tactics and conduct more attacks. And that’s exactly what Rocket Kitten did.
Act Four
Redmond, Washington is home to Microsoft’s sprawling headquarters. That includes the Microsoft Threat Intelligence Center, or MSTIC (“Mystic”). It’s an office made up of over 100 lawyers, data scientists, investigators, forensic analysts, and engineers. Their job is to observe and report on intrusion attempts against Microsoft
In August 2019, MSTIC noticed an uptick in activity surrounding Donald Trump’s 2020 re-election campaign, which relied heavily on Microsoft’s software to conduct its business.
But now, a team of hackers was making repeated attempts to identify the email addresses belonging to Trump re-election campaign members. Over a one month period, MSTIC observed the hackers make over 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers, and then conduct an extensive spearphishing campaign against them. In some cases, hackers tried to figure out how to reset passwords or otherwise trigger account recovery features to take over accounts. In others, the group gathered phone numbers belonging to its targets to try to authenticate password resets
Altogether, the hackers identified 241 such accounts. Just four of those accounts were compromised, none of them connected to the Trump campaign.
MSTIC, and Microsoft’s Digital Crimes Unit, conducted a forensic investigation into the attack. Soon, it traced the origin to Iran.
Microsoft’s Vice President of Customer Security and Trust, Tom Burt, publicly identified the hackers as “Phosphorous.” That’s Microsoft’s name for the Advanced Persistend Threat Group 35, aka “Rocket Kitten.”
However, we still don’t know whether the current iteration of Rocket Kitten includes any of the same people who conducted its earlier attacks, like Yaser Balaghi or Behzad Mesri. It’s entirely likely that the Islamic National Guards Corps has contracted yet another Iranian hacking group to do its bidding. We don’t know their personal names, their aliases, or the name of their hacking crew.
Today, both the cybersecurity community and the US government have discovered even more hacks that would be attributed to Rocket Kitten.
In 2021, Rocket Kitten was caught conducting an extensive hacking campaign against infrastructure in American cities, including transportation, healthcare and the public health sector. Later that year, Rocket Kitten carried out a credential phishing scheme against medical researchers in the US and Israel who were analyzing the COVID-19 virus.
Are these the work of the same people who hacked HBO, or who tried to hack Fatemah Zarah’s former colleagues in Air Force intelligence? Are they the same ones who snuck hacking tools into Iran’s censorship software?
Once again, we don’t know. And it almost doesn’t matter. As we’ve seen time and time again, if an Iranian hacking gang gets exposed, the Iranian government can just move on to the next one. Over time, Rocket Kitten’s tactics have evolved. While Rocket Kitten’s had relatively few successes compared to failures, it’s not going anywhere.
This kitten has way more than nine lives.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka Wittle Baby Kitten. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!