Crossing the Redline

In December last year Redline made the news when American company Cylance published a report revealing the activities of an Iranian hacking group called Tarh Andishan (طرح اندیشان), which they named Op Cleaver.

Based on the evidence, it seemed pretty clear to Redline that Tarh Andishan were being directed by, or were an actual part of, Iran's Ministry of Defence and Armed Forces Logistics (وزارت دفاع و پشتیبانی نیروهای مسلح). Indeed we would go even further than that. Could Tarh Andishan be part of SPND?

Someone clearly took an interest in what we said as recently Redline has been subject of some quite aggressive hacking activity that, according to an IT guru we spoke to, bears a remarkable similarity to the previous time we were hacked back in January 2013. Luckily Redline is now made of stronger stuff than a celebrity iCloud account and this time we managed to repel the attacks.

In January 2013 we were able to prove that Tarh Andishan was responsible, and on the balance of evidence it seems pretty likely that they are the culprits this time too. Let's look at the timeline:

• Early-December - Redline publishes an article showing the evidence linking Tarh Andishan to MODAFL and SPND.

• Late-December - Redline is subject to aggressive hacking that is very similar in technique to the previous attack on the site in January 2013 that we could attribute to Tarh Andishan.

Did we touch a nerve? Criminal investigators often cite two key things that constitute what an American TV lawyer would call 'probable cause'.

Motive and opportunity.

If Redline was correct, and TA works for or with MODAFL and SPND, then the motive is pretty clear. TA were probably trying to figure out how we could draw such a conclusion. Well we hate to break it to you, but you guys have made it pretty obvious who your paymasters are with all that stuff you did.

As for opportunity. We know TA can do this type of hack, heck they've even done it to us before. There is ample opportunity for them to pick on a small blogging site, bet they would be a bit more hesitant to do this to the guys at Cylance.

Hey! Tarh Andishan! Why don't you pick on someone your own size?

The question remains, who are Tarh Andishan? The names given in the Cylance report, such as 'Reza', don't really narrow it down too much.

It seems unlikely that MODAFL or SPND had expertise within their own organisations for a group like Tarh Andishan to spring up from the inside. While Mohsen Fakhrizadeh is a keen blogger, he's unlikely to have the cyber-skills to do this himself.

rainbow Inside the Tarh Andishan HQ, or a scene from 1995 vision of the future, Hackers.

Redline suspects that while the hackers themselves must be pretty youthful, probably fresh out of University, there must be some more experienced hands involved. You do not get a job running a MODAFL/SPND hacking unit without some serious connections. We would not be surprised at all if we were talking about a MOIS (وزارت اطلاعات) or IRGC (سپاه پاسداران انقلاب اسلامی) veteran here. Those two organisations have the intelligence and investigative expertise, plus the political clout, to get this sort of enterprise off the ground.

If Tarh Andishan wanted to get our attention, they have succeeded. This case, the crossover between Iran's military, nuclear and cyber projects, is too intriguing to leave alone.

Comment on this article...

Enter text shown below:

All comments will be moderated before submission. Please allow some time for them to appear.