Redline: Enemy of the State?

Op Cleaver

Rewind to January 2014! Redline had a few problems with the website, we fell over. Channelling our inner Sherlock Holmes, Redline was able to pinpoint the likely culprits. An Iranian company or group called Tarh Andishan, who happened to be located just around the corner from SPND (سازمان پژوهش و نوآوری دفاعی or سپند), had tried to take us down.

Redline is no cyber security guru so we assumed Tarh Andishan was probably a bunch of teenage hackers with nothing better to do. Well, it turns out they are a bit more serious than that. According to a report published by cyber threat protection company Cylance (they are gurus), Tarh Andishan is behind a worldwide series of cyber attacks emanating from Iran called Operation Cleaver. The activity apparently targeted sensitive technologies and critical national infrastructure to gather information and possibly lay the ground for future attacks. To top it off Cylance used some of our rudimentary analysis to prove it! Google Maps we salute you.

While Cylance are primarily concerned how these attacks were mounted; Redline cares much more about who and why. Interestingly Cylance stated that the scale of the work means it must have been State sponsored, and State sponsored Hackers need someone from the State to tell them who to hack. For their part, Iran has denied being behind Cleaver and even said the accusations were aimed at “hampering the current nuclear talks”.

Leaving the usual rhetoric aside, Redline wants to look at who in Iran would have an interest in directing this hacking and cyber espionage. If it wasn’t Zero Cool and Acid Burn then who was it? After all, experts have long discussed the dangers of technology transfer via the Internet – that’s proliferation by non-traditional means. In the uber-connected society we now live in, is Iran just as likely to get sensitive technology via the internet as they are by more traditional means? Plus, this way we finally get to put those two hours watching Hackers to use.


You don’t need to read very far into the Operation Cleaver report to have a guess at who might be responsible - the evidence points a big arrow at a certain man in Mojdeh Street and his bosses at MODAFL (وزارت دفاع).

We will start with who Tarh Andishan targeted in these cyber attacks. The list published in the report showed 15 types of victim or target. They included military, defence contractors, aerospace, chemical companies, education, energy, technology and governments. Quite a set of research topics eh? Tarh Andishan’s list of victims seems a bit diverse for your average hacker to have identified by themselves.

Which takes us back to the exam question, which organisations in Iran are likely to be interested in these sectors AND a small website analysing Iran’s nuclear weapons projects? Mr Fakhrizadeh (محسن فخری زاده), do you have a confession to make?

SPND and MODAFL are exactly the sort of organisations that stand to benefit from a sophisticated operation of Cyber espionage like Cleaver, and have the knowledge to tell the hackers where to look. We reckon all it would take is a bunch of computers, some wiz-kid hackers and a reasonable broadband connection.

SPND is, to use the formal title, Iran’s Defense Research and Innovation Organisation. While we know that it houses Iran’s latent nuclear weapons research, we can only speculate on what other kinds of topics ‘Defense Research and Innovation’ covers.

MODAFL have history in this area too. This time last year Iran’s Minister of Defence Hossein Dehghan (حسین دهقان) unveiled a series of cyber products and claimed "mastering cyber technologies are among the top priorities of the Defense Ministry". The Cleaver revelations suggest this mastery was being sought for both offensive and defensive purposes.

Even the Supreme Leader has got in on the act, telling Iran’s students to prepare for ‘cyber war’.

In case you missed it, as any good movie lawyer would, Redline will summarise our findings:

1. A State-backed Iranian group called Tarh Andishan has used the internet to gather information that the likes of SPND and MODAFL would be very interested in.

2. We know that mastering Cyber technology is a big priority for MODAFL, and probably for offensive as well as defensive reasons.

3. The same group that did this also attacked a small website that analyses Iran’s nuclear weapons research, and they are based a short walk from SPND’s Mozhdeh Street office.

You will forgive us for feeling like we have landed in the middle of an Enemy of the State-type scenario here. The case is pretty compelling.

Enemy of the State

SPND and MODAFL at the very least are involved in this whole Tarh Andishan/Operation Cleaver thing; maybe they are the ones directing the hackers on where to attack? If that is the case then it is a truly frightening thing – who knows the extent of what SPND scientists want to get their hands on?

Based on Redline’s previous experience, Mohsen Fakhrizadeh is exactly the sort of specialist in secret projects that he would ask Tarh Andishan to mix SPND and MODAFL’s cyber acquisition of technology and information with his desire to check out what Redline has said about Space Cat this week. He wasn’t exactly too careful about the whole AMAD thing.


Comment on this article...

Enter text shown below:

All comments will be moderated before submission. Please allow some time for them to appear.