Who Is Behind Pro-Ukrainian Cyberattacks on Iran?

COMMENTARY

Ukrainian cyber forces have attacked Russian infrastructure and assets almost since the first day of the Russian invasion of Ukraine on Feb. 24, 2022. A now well-oiled machine, the "IT Army of Ukraine" (as it is known) works alongside the main cyber directorate of Ukraine, SSSCIP, on the offensive aspects of the cyber conflict. While its mainstay is denial-of-service (DoS) attacks that have knocked out the Russian customs system and grounded flights at Russian airports, among other things, it doesn't shy away from breaching Russian assets and making off with huge amounts of data.

Other hacktivist groups have also planted their flag firmly on the Ukrainian side. These include Anonymous, whose main anti-Russian activities fall under the operation #OpRussia. Smaller groups have also supported Ukraine, such as Network Battalion 65 (which ceased operating in August 2022) and Nebula, a newer player on the scene that became active in May 2023. Regardless of their origin, they share one thing in common: attacking only Russian or Belarusian assets. Well, at least until recently.

Nebula Hits an Unexpected Target

On Oct. 28, Nebula posted screenshots of its breach of Raykasoft, an Iranian company specializing in medical software. While the breach isn't sophisticated — the group somehow obtained root and is deleting backups and file systems with "rm -rf --no-preserve-root" — the message they left, which directly references Iran, is unusual. The message begins:

"Iran, you've overstepped your bounds and you're getting involved in conflicts that do not concern you. As a result, we've dropped medical databases containing over 10TB worth of data between several critical servers. We've also destroyed these servers as well. Raykasoft has proved they can't secure medical data."

Full statement on the Raykasoft hack by Nebula.

Attacks against non-Russian owned assets by Ukrainian hackers have happened during the conflict, but they are rare. The IT Army of Ukraine has made it a point to target only Russian and Belarusian assets, no doubt to avoid upsetting Western backers that are providing significant military aid. Some Western companies still doing business in Russia are anecdotally targeted, but this has been attributed more often to Anonymous rather than official Ukrainian cyber forces, whose official stance is to focus on Russia.

The "conflicts that doesn't concern you" in Nebula's message refers to the military support Iran has been providing Russia, mainly Shahed drones that have been raining down on Ukrainian cities for over a year and caused untold suffering for the civilian population.

Who Is Nebula?

So, who is this group exactly? On Nov. 17, Nebula accidentally leaked one of its operational IP addresses in screenshots of its recent breach of Russian software company Insoft.ru.

In an almost nightmarish scenario for any infosec professional, the screenshots show a half-dozen Meterpreter shells Nebula has open in Insoft's infrastructure. (Meterpreter is a Metasploit payload that can be used to download and upload files, run code, and open a command shell.) The source IP is blocked out … but not very well.

Looking carefully, it appears the source IP looks like 91.92.246.69 or 91.92.246.89. Scanning both with nmap shows 91.92.246.69 with an open Cobalt Strike beacon on port 4445 running, so that's the likely one. These IPs are owned by LimeNet out of the Netherlands — but in cyberspace, attribution is a difficult thing, so that means little.

Meterpreter sessions connecting to the Insoft infrastructure with partially blacked-out source IPs.

In each hack, the attackers also thank and "shout out" many hacker aliases, but they are so generic that they are hard to attribute. (Look up how many security researchers and hackers have the handle Raz0r.) Interestingly, they also use a variation of the Anonymous tagline, "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us," instead opting for "expecc us. respekk us."

Looking at the evidence, it's unlikely that Nebula, while effectively being pro-Ukrainian, is controlled by the SSSCIP or the IT Army of Ukraine. That it would go after a medical target isn't aligned with the IT Army of Ukraine's philosophy.

In October, the International Committee of the Red Cross (ICRC) released its rules for cyberwarfare during a conflict, which effectively amounts to avoiding or minimizing harm to civilian targets, sticking to military targets, and avoiding medical-related targets. On its Telegram channel on Oct. 11, the IT Army of Ukraine responded with a short statement, saying: "We've intuitively adhered to these rules even before they were introduced, for instance, never attacking healthcare or humanitarian sectors." (As a side note, the Russian hacker group Killnet's answer to a question about the ICRC rules was, "Why should we listen to the ICRC?")

Since the Raykasoft hack, Nebula has returned to Russian targets. In the first two weeks of November, it took down Refactor-ICS and Insoft, both Russian IT companies.

Looking at the overall picture, it seems that Nebula, being a pro-Ukrainian splinter entity, has merely been opportunistic in its targeting. It's taken advantage of weak infrastructure to fire a warning shot to Iran — counter to the IT Army of Ukraine's current targeting philosophy. While Iranian support of Russia is well known, for now cyber activity against Iranian assets (at least from Ukraine) remains a one-off. We'll have to keep an eye on this development to see if it mutates into a more sustained trend against wider Iranian Infrastructure.