Iranian hackers breached computers of the American satellite technology industry with help from a fake website and an unsuspecting college professor.
Court documents obtained by The Daily Beast show that the FBI believes Iranian hackers going by the nicknames MRSCO and N3O may have been involved in the attempted breaches. The hackers, members of a long-running Iranian hacker collective known as the “Iranian Dark Coders Team,” have become known for defacing websites with pro-Iranian and Hezbollah propaganda, hacking gas-station pump terminals online, and attacking an Israeli credit-card company over the past seven years.
The Department of Justice declined to comment publicly on the investigation.
The FBI began investigating the campaign when unnamed satellite trackers tipped off the Bureau that someone was sending out malware-laden spear-phishing emails in an attempt to trick recipients into downloading software hosted on a website made to look like a legitimate app for finding satellite orbits. The messages, written in stilted English, advertised an “ultimate software for tracking satellite [sic]” and were allegedly sent to members of a satellite-tracking website after the site had been hacked.
Agents pulled the registration information for the bait website and found that the hackers had tried to impersonate an employee of the commercial satellite imagery firm DigitalGlobe when creating the site in order to make the software downloads appear genuine.
One recipient of the poisoned emails noticed that code embedded in the fake satellite technology company’s website contained noteworthy strings of text. A download link for the malicious software contained a script that included the phrases “IraNiaN DarK CoderS TeaM” and “Israel Fucked by M.R.S.CO And Ali.Pci.”
That text, law enforcement officials believed, pointed to a well-known hacker collective, the Iranian Dark Coders Team, and one of its top members, who goes by the nickname MRSCO. The group hacked gas pump software exposed to the internet in 2015 and in 2012 defaced Israeli sites with the slogan “Remember Emad,” a reference to the Hezbollah terrorist operative Imad Mughniyeh, who was killed in a joint U.S.-Israeli operation in 2008.
Iranian hacking groups have been involved in a number of sophisticated attacks over the years, including break-ins at Saudi oil facilities and a nuclear power plant in New York state. But the Dark Coders team has tended to focus more on cybervandalism and less advanced hacks than other groups operating from the Islamic Republic. For example, federal agents found that MRSCO claimed 37 hacks on Zone-H, a site that tracks self-reported website defacements, and that “at least 13 of these hacks involved U.S. facilities”
In addition to MRSCO, law enforcement believes that another member of the Dark Coders Team was also involved in a similar attempt to hack people in the U.S. satellite industry. FBI agents wrote that the Iranian hackers compromised the email account of an unnamed geology professor and used it to send spear-phishing email to a “U.S. person employed at a satellite imagery company.”
When FBI agents spoke to the professor, they learned that he was unaware that his account had been compromised and said he had not used it for years. Messages sent by the Iranian hackers from his old email account asked the recipient to download and test a parallel image-processing application hosted on a Dropbox accounts. Investigators looking into the attacks believe that Dropbox accounts registered to email addresses associated with MRSCO and another Iranian Dark Coder Team Member, “N3O,” are associated with the hacking campaign of the impersonated geologist.
It’s unclear exactly why the Dark Coders Team targeted Americans in the satellite industry or what kind of data they sought. The Iranian government has invested heavily in building up its hacking capabilities and taken on targets in the U.S. and the Middle East. Former Director of National Intelligence Dan Coats testified in 2018 that Iranian hackers ranked alongside hacking groups from China, Russia, and North Korea as among the greatest cyberthreats to the U.S.
But just because the Dark Coders Team is Iranian doesn’t necessarily mean that they were pursuing satellite industry targets at the explicit direction of the Iranian government.
One cybersecurity researcher who tracks Iranian hackers and asked not to be identified for security reasons told The Daily Beast that “Iran’s hacking community is a mixture of ideologues, criminals, and opportunists—all with differing relationships with the regime. As a pariah state with little access to foreign technologies, there are rich opportunities for those in Iran with a bit of technical skill who want to make a fast dollar engaging in fraud and industrial espionage, and the government is a willing buyer.”
There’s plenty of precedent, the researcher suggests, to suggest that the Dark Coders Team is made up of “freelancers with a bit of ambition and an ambition to sell stolen information to the government.”