If you’re trying to work for a secret Iranian hacking unit, you should probably not put that on your resume. Saeed Pourkarim Arabi allegedly skipped that step and it helped land him in the crosshairs of the FBI.
Prosecutors charged Arabi on Thursday, along with two other Iranian men, Mohammad Reza Espargham and Moahmmad Bayati, with breaking into satellite companies on behalf of the Islamic Revolutionary Guard Corps (IRGC), part of an FBI investigation first reported on by The Daily Beast.
The conspiracy was allegedly orchestrated by Arabi, who prosecutors described as “a member of the IRGC, living in IRGC housing, working in intelligence regarding IRGC air, space and cyber operations.”
In the summer of 2017, an anonymous tipster who ran a satellite tracking site and an unnamed satellite company both contacted the FBI about a suspicious spear-phishing email that tried to trick users into clicking on a malicious link. As The Daily Beast reported last year, the email, written in stilted English, announced the launch of a "new and ultimate software for tracking satellite" named TLE Analyzer. It was sent to targets at NASA and Lawrence Livermore National Laboratory, among other targets.
The website for the fake TLE Analyzer software was registered with a Gmail address that included the phrase “Digital Globe Marketing” and listed Digital Globe’s mailing address in Colorado. Digital Globe, now known as Maxar, is a satellite imagery firm and the hackers likely used the company’s information when registering the website in order to trick users into believing it was a legitimate site.
The satellite tracker tipster told the FBI he believed his site had been hacked and used to send malware to site users. A spear-phishing email sent to the tipster from his own website triggered his suspicion and a subsequent examination of code found in the email showed a hidden string of text, "Hello IraNiaN DarK CoderS TeaM ;) Israel Fucked by M.R.S.COAndAIi.Pci."
Court documents obtained by The Daily Beast show that when the FBI served search warrants on Google for information related to the Gmail addresses used in the spear-phishing campaign, they found that the email accounts had been registered by users browsing from Iranian IP addresses. A Gmail address used as a recovery account for the Digital Globe email—email@example.com—pointed them towards mail-db.com, a domain registered by Arabi.
Prosecutors say the hackers were successful in breaching at least two unnamed companies, one which "provided real-time satellite tracking" and another “that provided satellite voice and data communication services.” The hacks resulted in over a half a million dollars in damages, according to the indictment.
Arabi and his alleged co-conspirators from the Iranian Dark Coders Team have been known mostly for lower level website defacements and criminal activity. The hacking group vandalized websites in the U.S. and Israel with pro-Iranian and Hezbollah propaganda but until recently it wasn’t clear whether any of its members had graduated to working with the Iranian government on more important operations.
But thanks to some stunningly sloppy operational security on Arabi's part, federal investigators found out that he lately graduated to working for Iran’s IRGC.
Investigators allegedly found a resume for Arabi in which he listed his role as an intelligence officer for the IRGC and “touted hacking projects that he claimed to have completed,” including break-ins at an American aerospace and satellite company as well as a U.K.-based aviation company.
Arabi and his fellow defendants remain abroad and Iran does not have an extradition treaty with the U.S.