CONNECTING THE DOTS
Moscow Server Hosted WikiLeaks and Iran’s Hackers Weeks Apart
The year was 2015, and weeks after a group of brazenly persistent hackers hit over 500 targets, WikiLeaks dumped thousands of Saudi diplomatic cables. Coincidence, or connection?
New research from computer security analysts dangles the possibility of a link between WikiLeaks and Iranian government hackers, by way of a server in Moscow that was used by both within a span of weeks.
The research by Virginia-based ThreatConnect involves a notorious hacking campaign that targeted more than 500 diplomats, journalists, human rights workers, scientists, and researchers, primarily in the Middle East. The hackers used spear phishing to lure targets into installing malware or entering their passwords into a fake login page. Though technically unremarkable, the hacks stood out for the brazen persistence of the attackers, who in some cases followed up their phishing emails with a phone call encouraging the victim to open the attachment.
The Israeli security company ClearSky detected the campaign in May 2015, and from a number of clues attributed it to the hacking organization “Rocket Kitten,” also known as “APT33,” which has been linked to the government of Iran.
ThreatConnect’s three-page report connects some tentative dots between that attack, which targeted Saudi Arabia more than any other country, and WikiLeaks’ release a few weeks later of hundreds of thousands of diplomatic cables taken from Saudi Arabia’s foreign ministry—and suggests that WikiLeaks may have worked with Rocket Kitten to engineer its own leak.
The research comes on the heels of the Thursday arrest of WikiLeaks founder Julian Assange in London. Federal prosecutors in Virginia are seeking Assange’s extradition on a charge of conspiring to crack an Army password to help leaker Chelsea Manning in 2010.
The June 2015 Saudi Arabia files marked WikiLeaks’ first high-profile release after resurrecting its leak submission system that May following five years of downtime. Two weeks after the Saudi release, WikiLeaks began growing its infrastructure and expanded its website hosting onto a rented server in Moscow.
And that’s what got ThreatConnect’s interest. The IP address of WikiLeaks’ new server in July 2015 had last been seen in May 2015 hosting the website login-users[.]com, a fake Google Drive login page used in the Rocket Kitten phishing attacks.
Under some circumstances, a single IP address can host thousands of websites in a low-cost shared hosting arrangement. But that’s not the case here. “This IP was part of a range of dedicated HostKey servers,” notes the report. “This indicates that a single actor or collective had control over the infrastructure hosted at this IP.”
That suggests to the researchers that WikiLeaks may have hosted the phishing site itself to help out Iran’s hackers, perhaps in exchange for the leaked cables, just as Assange allegedly helped Manning.
“We cannot definitively state who was behind the attack that resulted in the files WikiLeaks released, or if that domain was a part of that attack,” said Kyle Ehmke, an intelligence researcher at ThreatConnect. “But the timing, co-location, and overlap in potential source and leaker are seemingly too significant to be coincidental.”
But the report acknowledges several other more innocent scenarios that might explain how WikiLeaks, after posting a big leak of hacked files from Saudi diplomats, wound up controlling a slice of internet that was used to hack Saudi diplomats a few weeks earlier.
For one, the Iranian hackers may have transferred the phishing server to Assange after the hacking was done. ”This may have facilitated the transfer of files from the malicious actor to Wikileaks if the stolen files were stored at a server on that IP,” ThreatConnect wrote. “Wikileaks domains being first hosted at this IP after the malicious domain is possibly evidence of this explanation.”
It could also just be a coincidence, the report notes. WikiLeaks could have been randomly assigned the same dedicated IP address after the Iranian hackers were finished with it.
Eyal Sela, head of threat intelligence at ClearSky, favors that last theory. He said WikiLeaks may have innocently obtained Rocket Kitten’s old address if both groups happened to use the same “bulletproof hosting” provider, a no-questions-asked reseller with a small inventory of servers.
“I obviously cannot be sure, but this makes more sense to me then the other theories,” Sela told The Daily Beast.
Complicating things further, Iran’s Rocket Kitten may not have been the only state-sponsored hackers on the playing field.
WikiLeaks claimed at the time that the Saudi leak came from a completely different group of hackers who also purportedly targeted Saudi diplomats in May 2015: the Yemen Cyber Army. If so, it wouldn’t be the last time Assange received documents from that particular hacker group. In 2017, the Senate Intelligence Committee identified Yemen Cyber Army as a false front for Russia’s GRU.