Over the past few months, we have been running into a growing number of Iran regime trolls, possibly linked to MOIS APT34. APT34 have an internal group know as the “Oil Rig Hackers”. The Oil Rig group is not particularly sophisticated but is extremely persistent in the pursuit of their mission objective and, unlike other some other espionage motivated adversaries, are much more willing to deviate from their existing attack methodologies and use novel techniques to accomplish their objectives. In this instance, it’s looking like they may be the ones linked to this new group of Iranian trolls and the sites they are promoting on social media. After scraping the affiliated Twitter account’s follows/follower, we discover 3 accounts we believe to be directly linked to the Oil Rig group.
On March 25th 2019, a Telegram account was made, “Lab Dookhtegan | Read My Lips”, and began disclosing information, methods and members of the Oil Rig hacking group. That was less than 30 after the Twitter account was created for the Mozahemin.org. Although the two don’t seem to be related, the timing of these two accounts being created raises a lot of questions. The Mozahemin site appears to mainly target the NCRI/PMOI/MEK, while the Lab Dookhtegan Telegram account appears to have no political affiliation.
Dookhtegan لب دوخته گان “sealed lips” as an image and a maxim was the creation of Mehdy Kavousi, an Iranian immigrant in the Netherlands who is protesting immigrant deportations. The image is famous and literally shows Mehdy with lips sewn together in protest. Since March the actors involved in dropping the dime have gone on to create two darknet sites as well as three accounts on Telegram where they dropped much of the same data. The Telegram and the successive Dookhtegan1 account(s) on Twitter also put out a video with their announcement. The video consists of clips of President Obama making a speech much like the kind of thing you see in movies threatening someone using sound bytes.
From the Lab Dookhtegan Telegram account, “We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks. We hope that other Iranian citizens will act for exposing this regime’s real ugly face!”.
So the question arises, will Lab Dookhtegan start targeting this Iranian Troll Army behind the Mozahemin.org website? Highly doubtful. Since the site is being hosted by GreenWeb within Iran, it’s also doubtful their abuse department would remove the site do to TOS violations. [email protected] seems to be the only hope of removing it.