Cybercrime and cyber conflicts: Iran

Iran's involvement in recent cyber attacks is barely questioned by security experts. After Iran was subjected to attacks related to attempts to stop its alleged nuclear program, retaliatory strikes can be considered almost guaranteed. It is believed that sources inside Iran were behind the attacks against American banks, as well as a massive cyber attack against Aramco, a Saudi oil company, according to the Iranian government, which benefits from economic sanctions against Iran.

Organizations

• The Iranian Islamic Revolutionary Guard Corps (IRGC) is an elite component of the Iranian Armed Forces. The corps has its own air, naval and ground forces, in which about 100 thousand people serve. Tehran has repeatedly denied the organization's involvement in terrorist activities.

2023:70% of gas stations in Iran stopped working due to massive cyber attack

On December 18, 2023, Iranian authorities reported a massive cyber attack on a network of car gas stations. Due to a hacker invasion, approximately 70% of such sites throughout the country stopped working.

The cyber attack disrupted the functioning of IT systems, as a result of which it was impossible to read fuel cards. Gas station operators are forced to switch to a manual mode of selling fuel, which creates certain difficulties. Specialists are taking prompt measures to restore the normal operation of facilities.

The cybercriminal group Predatory Sparrow, which is allegedly related to Israel, claimed responsibility for hacking the Iranian gas station network. Hackers said they managed to hack into the central servers of gas stations, gain access to classified information, payment services and control systems. As a result, the work of many gas stations was practically paralyzed.

It is noted that the members of the Predatory Sparrow may be associated with Israeli military intelligence. Hackers have previously claimed responsibility for cyberattacks on Iran's state-owned steel company and fuel distribution system: both of these incursions have been successful. The group said in a statement on Telegram that, as with its previous operations, the attack on the gas station network "was carried out in a controlled way" - in order to limit the possible impact on the activities of emergency services.

We alerted emergency services across the country to the impending attack before the operation even began and made sure some of the petrol stations remained operational - despite our ability to completely disable all of these sites. The cyber attack was carried out in response to the aggression of the Islamic Republic and its proxies in the region, the Predatory Sparrow statement said.[1]

2022

Iranian group leaves bookmarks on GitHub

The government-linked Cobalt Mirage group Iran uses malware Drokb for various attacks organizations, USA using GitHub as a Dead Drop cache. This became known on December 12, 2022. More. here

Log4Shell remains a formidable weapon in the hands of Iranian cybercriminals

• the group The Iranian APT gained access to the server to the federal agency USA using the infamous Log4Shell. This became known on November 17, 2022. More. here

Anonymous declared cyber war on Iran over protests

On September 21, 2022 hackers , Anonymous launched the OpIran (Operation Iran) campaign against due Iran to the ongoing protests in. During the to the country protests, the country saw disruption Internet and a complete shutdown of the mobile network several times. This became known on September 26, 2022.

Anonymous declared war on the Iranian government and began conducting cyber attacks on government websites, including those belonging to Iranian intelligence and police. At the end of September 2022, the websites of departments are already closed.

"Dear Government of Iran, You turned off the Internet - we will turn you off! " hackers wrote on Twitter, addressing the government.

The group called on hacktivists to launch DDoS attacks on Iranian websites, steal their data and leak it online. Hackers also suggest that Iranian citizens bypass state censorship using the Tor browser.

Anonymous also hacked the Center for Judicial medical Research, the Iranian Assembly and published stolen data in, Internet as well as their attacks led to the closure of the state-owned MEDIA Iran Fars News Agency. Anonymous also said they hacked 140 CCTV cameras in Iran.

Earlier, Anonymous hackers during the OpRussia campaign published more than 1TB correspondence of several large Russian companies^[2].

2021

Iranian APT groups began to attack the IT sector more often

Iranian APT groups began to attack the IT sector more often. This became known on November 19, 2021. Read more here.

Information security agencies warned of growing number of cyber attacks by Iran-linked groups

The cyber conflict between the United States and Iran continues to heat up. This became known on November 18, 2021.

U.S. Federal Bureau of Investigation, cyber security the Infrastructure and Security Agency (), CISA USA The Australian the Cyber ​ ​ Security Center (ACSC) and the National Cyber ​ ​ Security Center Great Britain (NCSC) in a joint statement warned of a growing number of attacks Iranian groups exploiting vulnerabilities in (Fortinet FortiOS CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591) and. According to Microsoft Exchange experts, attackers often run BitLocker on malware compromised ones under computers control for Windows enciphering data ransom or disruption.

Intelligence agencies issued a warning less than three weeks after the head of the Iranian Civil Defense Organization, Gholamreza Jalili, who oversees the sphere, cyber security countries accused the United States Israel of carrying out a cyber attack, which led to the disruption of Iranian gas stations.

Since at least March 2021, three vulnerabilities in Fortinet products have been exploited against targets in the United States, while attacks using ProxyShell vulnerabilities in Microsoft Exchange have been recorded in the United States and Australia.

{{quote 'Iranian government-sponsored APT groups target a large range of companies in various sectors of critical US infrastructure, including the transport and health sectors, as well as Australian organizations, experts explained. }}

FBI officials also sent warnings to private industry companies that Iranian attackers were trying to buy their stolen email and network information from clandestine forums.

Since September 2020, Microsoft has been tracking six Iranian hacker groups - Thanos (DEV-0146), Moses Staff (DEV-0500), Phosphorus, Rubidium (pay2key), Vice Leaker (DEV-0198) and Agrius (DEV-0227). Criminals install ransomware and steal data in order to cause failures in victims' systems. Over time, these groups have turned into competent attackers who can conduct cyber espionage, use multi-platform malware, conduct ransomware and viper operations, conduct phishing attacks, and even carry out attacks on supply chains^[3].

Gas stations in Iran crashed after a large-scale cyber attack

At the end of October 2021, the Iranian authorities accused hackers of disrupting the operation of gas stations throughout the country. In what form the cyber attack was carried out is not specified, and no group has claimed responsibility.

The attack rendered useless the government-issued electronic cards that Iranians use to buy subsidized fuel from Iran's gas stations. The Associated Press reports that a cyberattack in the capital, Tehran, created long traffic jams from cars waiting to be refueled, with many pumps shut down and stations closed. People who tried to use the pumps at the gas station, when paying through the card, received a message, a cyberattack 64411 (cyberattack 64411).

Iran's Supreme National Security Council confirmed that there was a cyber attack on a computer gasoline distribution system. Details of the attack and its source are being investigated, state television Abadan TV said.

Sources found that the indicated number in messages 64411 is associated with the office of Iran's Supreme Leader Ayatollah Ali Khamenei, who deals with issues of Islamic law, which suggests that the attack could be politically motivated.

It will be interesting to see who takes charge of this attack. This appears to be a politically motivated attack, and to me it highlights the need to effectively manage the security of critical national infrastructure. In recent months, there has been a lot of noise around anti-climate change organizations blocking transportation routes and targeting government infrastructure, "said Cyvatar CEO Steve Daniels.

Nasser Fattah, chairman of the North America Steering Committee for Shared Assessments, which manages risk in information systems, noted the irony that the country in the top 5 countries with a high risk of attacks on others was attacked. He noted that such cyber attacks on entire states can have a ripple effect in society, which can lead to unrest and chaos within countries.^[4]

As its cyberpower grows, Iran has moved to conduct drills for its allies

The Iranian government has stepped up its cyberspace operations and even conducts cyber training for its allies, particularly Hezbollah in Lebanon. This was reported in a report by the International Institute for Strategic Studies^[5][6].

According Iran to the report, he considers himself in a state of "intelligence and cyber war" with his opponents. Since attacks on the malware Stuxnet country's nuclear program more than a decade ago, Tehran has significantly expanded its capabilities in cyberspace. Iran's push to quell domestic opposition has led to increased use of cyber-tracking tools. However, the country is unable to implement powerful " cyber attacks combat levels," the report said.

According to experts, Tehran's efforts in the West are undermined by the fact that they are easy to detect and attribute to Iran. However, the country has been described as a significant regional cyber force carrying out devastating attacks on infrastructure. Iran is also more tolerant than many countries of the so-called "patriotic hackers" conducting cyber operations without official instructions from the authorities.

Natanz nuclear site crash could be the work of Israel's intelligence agencies

Representatives of the agency for atomic to power Iran reported in April 2021 about an accident in the energy network at a nuclear facility in Natanz, where new centrifuges for uranium enrichment were launched last weekend. The Iranian authorities called the incident a "terrorist attack," and the media Israel associate the incident with a cyber attack by the Israeli special services^[7]

Israeli intelligence sources told the Kan television and radio company that the Mossad, Israel's national intelligence service, is allegedly behind the alleged cyber attack on the Natanz facility.

According to Iranian Foreign Ministry spokesman Said Khatibzadeh, the sabotage at the nuclear facility in Natanz was organized in order to interfere with negotiations on nuclear programs. According to the representative of the Iranian Foreign Ministry, as a result of the incident, class iR1 centrifuges were damaged. The accident in the electricity distribution network at the uranium enrichment plant occurred shortly after the launch of new centrifuges. There are no injured, no environmental pollution has been identified either.

"If the goal of the attack on the Natanz facility is to slow down our nuclear production, then the goal has not been achieved," Khatibzade said.

However, intelligence sources said the Natanz facility suffered significant damage. The accident undermined Iran's uranium enrichment capabilities, and the country's authorities lost significant potential.

2020

Iranian hackers send threatening letters to American voters

The Iranian hackers sent American threatening letters to voters. This became known on October 22, 2020.

The letters were allegedly sent on behalf of a far-right pro-Donald Trump group called Proud Boys.

The letters were threatening demands to vote for US President Donald Trump. This was reported by The Washington Post.

U.S. officials said Iran was responsible for sending the letters.

US Director of National Intelligence John Lee Ratcliffe accused Iran of using voter data to send "fake emails to intimidate, incite public unrest and damage President Trump."

In their messages, the attackers claimed that they "have all the information about the recipient," and offered to cast their vote for Trump in the upcoming US elections. Some of the threatening messages contained a video with detailed instructions on how to vote more than once. Other letters claimed to compromise "all voting infrastructure" in the U.S.^[8].

FBI shut down 92 fake news resources

FBI USA arrested 92 domain names illegally used by the Iranian the Islamic Revolutionary Guard Corps (IRGC) in disinformation campaigns. This became known on October 9, 2020.

According to the US Department of Justice, the four domains belonged to legal news outlets, but in reality were controlled by the IRGC and intended to spread Iranian propaganda among US citizens. The remaining 88 domains targeted users in Western Europe, the Middle East and Southeast Asia. The sites were impersonated as real news resources, but were actually used by the IRGC to spread misinformation in the interests of the Iranian government.

All 92 domains were used in violation of sanctions against the Iranian government and the IRGC.

The investigation, initiated on the basis of data obtained from Google, became the overall work of the FBI and commercial companies, in particular Google, Facebook and Twitter^[9].

Iranian hackers claim Israeli railway hack

The group, the Iranian hackers which calls itself Cyber ​​Avengers, posted on Telegram a channel associated with the Islamic Revolutionary Guard Corps a statement of responsibility against attacks the railway communication system in. Israel This became known on July 31, 2020. More. here

Israel suspected of cyber attack on Iran's nuclear facility

On July 3, 2020, it became known that the Israeli authorities were suspected of carrying out a cyber attack on one of Iran's nuclear facilities. The incident occurred on July 2 and led to a fire and then an explosion at an underground uranium enrichment facility in Natanz.

According to Behrouz Kamalvandi, spokesman for the Atomic Energy Organization of Iran (AAEI), a building under construction near the nuclear facility in Natanz was damaged. According to the authorities, there were no casualties and serious destruction, and the production facility continues to function normally.

Before the news of the Natanz fire broke, an email was sent to the BBC's Persian service in which a group called Cheetahs of the Homeland claimed responsibility for the attack.

According to the Cheetahs of the Homeland, they chose the uranium enrichment plant in Natanz, since there are ground facilities, the damage for which is more difficult for the Iranian authorities to hide than the damage for underground facilities. The group allegedly consists of "former members of the Iranian security forces who decided to fight against the authorities."

The cyber attack follows Iran's alleged attempt to hack into Israeli water infrastructure computer systems in April 2020, which, if successful, could lead to an increase in chlorine levels in the country's water supply and harm the health of Israel residents^[10].

Large-scale DDoS attack cut off a quarter of the Internet in Iran

Iran's infrastructure was subjected to a large-scale DDoS attack, as a result of which 25% of Iranian Internet users were left without access to the Web^[11].

According to the non-governmental organization NetBlocks, which monitors the security and freedom of the Internet, network failures began on Saturday, February 8, at 11:45 local time (11:15 Moscow time).

"As shown by network data in real time, Internet connection in the country decreased to 75% after the authorities allegedly activated the" Digital Fortress "isolation mechanism (national cyber shield - ed.)," NetBlocks said on Twitter.

Problems with Internet access lasted several hours and affected the largest Iranian telecom operators. It was possible to partially resume the connection within one hour after disconnection, but some networks could not reconnect for seven hours.

2019

Iran repels second cyber attack in a week

Less than a week since the previous cyberattack on Iran, criminals have tried their forces again. This was announced on Sunday, December 15, by the Minister of Information and Telecommunications Technologies of Iran Mohammad Javad Azari Jahromi, writes The New York Times^[12].

According to the minister, the target of the attack was "espionage of government intelligence," but it was "identified and repelled by a cybersecurity shield." Jahromi also added that the authorities were able to identify the servers used in the attack and track the attackers, but did not elaborate. Who is behind the attack, what is its scale and whether there are victims, the minister did not say.

The APT33 group has created its own VPN network

On November 14, 2019, it became known that the Iranian government-sponsored cybercriminal group APT33, also known as Elfin, MAGNALLIUM or Refined Kitten, created its own private VPN network to connect to its C&C servers, conduct intelligence in networks of future targets and view web pages. According to researchers from Trend Micro, the November 2019 APT33 group is Iran's most technically advanced cybercriminal unit.

The group is considered the developer harmful ON for the removal data from, hard drives known as Shamoon (DistTrack), which disabled more than 35 thousand of the company's workstations Saudi Aramco Saudi Arabia in 2012.

According to the researchers, the grouping infrastructure is multi-layered and isolated, allowing APT33 to avoid detection. Experts have identified four levels of the group's infrastructure. The VPN layer is a specially built VPN host network for masking the real IP address and operator location. The Bot Controller layer is intermediate. The C&C Backend layer is the actual internal servers through which the group manages its malicious botnets. The proxy layer is a set of cloud proxies that mask C&C servers from infected hosts.

A private VPN can be easily configured by renting a pair of servers from data centers around the world and using open source software such as OpenVPN, the researchers note.

However, in fact, its own VPN network, on the contrary, makes it easier to track. Since APT33 exclusively uses its VPN output nodes, specialists managed to track some nodes during the year (a list of IP addresses is available in the table below).

In addition to connecting to the control C&C server, the group used a VPN network "for exploration in networks related to the supply chain of the oil industry," as well as for access to websites of companies engaged in penetration testing, mail services, sites related to vulnerabilities, and underground resources dedicated to cryptocurrency. In addition, the group was interested in sites specializing in recruiting employees in the oil and gas^[13].

US launches cyber strike on Iran over Saudi Aramco fire

The US conducted a secret cyber operation against Iran in response to attacks on an oil company in Saudi Arabia that took place in September. As two knowledgeable sources told Reuters news agency in October, Washington and El-Riyad blame the September 14 attacks on the Iranian government ^[14][15].

According to sources who wished to remain anonymous, the operation was carried out at the end of September in order to block Tehran from spreading "propaganda." One of the sources said that the blow was inflicted on the hardware, but did not go into details.

This operation is more compact than other cyber operations carried out in 2019 by the US government in response to the downing of a drone in June and the attack on an oil tanker in May.

The official response to the drone attack was the US Department of Defense sending several thousand soldiers and additional weapons to Saudi Arabia to strengthen the defense. The Pentagon refuses to comment on the secret cyber operation.

Iran's oil and gas sector braces for any kind of attack

Iranian Oil Minister Bijan Namdar Zangane ordered the country's energy sector to go on high alert for threats of "physical and cyber attacks," Agence France-Presse news agency reported in September 2019.

"All companies and businesses in the oil industry must be on full alert against physical and cyber threats," the statement said.

According to the minister, precautions are necessary due to US sanctions and a "full-scale economic war," Iran which he accuses of conducting. USA

Dutch intelligence assisted US-Israeli Stuxnet cyber attack on Iran

For years, a mysterious mystery has surrounded a Stuxnet cyberattack targeting Iran's nuclear program. It remained a mystery how the Stuxnet malware was able to get onto the computer systems of a well-protected uranium enrichment plant in the city of Netenz^[16].

A spy recruited by Niderlad intelligence agents on behalf of the CIA and Israel's Mossad intelligence agency played a major role in the scheme, sources said in a conversation with Yahoo News. According to sources, an Iranian engineer for a shell company recruited by the Niderladian intelligence agency AIVD provided critical data that helped developers from inject USA their code into the plant's systems. The spy then granted internal access to connect Stuxnet to the systems using the - USB collector.

The covert operation, known as the Olympic Games, was designed to slow the development of Iran's nuclear program and buy time to impose sanctions and attract the country to negotiations. The operation was mainly a joint mission between the US and Israeli countries, involving the NSA, CIA, Mossad, the Israeli Ministry of Defense and the Israeli national unit SIGINT (equivalent to the Israeli NSA). The U.S. and Israel received aid from three other countries, two of which were the Netherlands and Germany, according to the sources. The third, it is believed, could be France.

US attacked Iran's computer systems by Trump decree

The President USA Donald Trump approved Ministry of Defense of the country cyber attacks the conduct of computer systems Iran used to control the launch of missiles. As a result, the system was disabled. This was reported by The Washington Post, citing knowledgeable sources in intelligence services. More. here

Iranian authorities announced the elimination of the CIA spy cyber network

Iranian security forces have uncovered an extensive cyber espionage network believed to have been deployed by the US Central Intelligence Agency, Reuters reported in June 2019.

"Iranian intelligence services have discovered and neutralized one of the most complex CIA cyber espionage networks, which plays an important role in management operations in various countries," said Secretary of the Supreme National Security Council of Iran Ali Shamkhani[17].

He also added that Tehran shared information about the identified structure with a number of partners. As a result, several CIA agents were arrested. Shamkhani did not disclose data on how many employees of the department were arrested and in which countries.

Iranian cyber spies attack companies in US and Saudi Arabia

For the past three years, the cyber espionage group Elfin (also known as APT33), allegedly funded by the Iranian government, has been actively attacking organizations in the United States and Saudi Arabia^[18].

As reported in March 2019 by^[19] specialists of the company, representatives of different Symantec spheres became victims of the group. In addition to the government sector, Elfin is also interested in manufacturing, engineering and chemical enterprises, research organizations, consulting firms, financial and telecommunications companies, etc.

Over the past three years, 18 organizations in the United States, including Fortune 500 companies, have fallen victim to Elfin. Some of them were attacked in order to carry out further attacks on the supply chain. In one case, a large American company and a Middle East firm it owns fell victim to Elfin in the same month.

The last wave of attacks was recorded in February 2019. To implement them, attackers tried to exploit a well-known vulnerability in the WinRAR utility (CVE-2018-20250), which allows you to install files and execute code on the system.

The exploit hit the computers of two employees of the attacked organization through a phishing email with a malicious JobDetails.rar file attached. After opening it, an exploit for CVE-2018-20250 was downloaded to the system.

Elfin was spotted by researchers in December 2018 in connection with new Shamoon attacks. Shortly before the Shamoon attack, one of Saudi Arabia's companies was infected with the malicious ON Stonedrill from Elfin's arsenal. As the attacks followed just one after the other, experts suggested there could be a link between the two. However, to date no other evidence has been found of Elfin's involvement in the Shamoon attacks.

In addition to the Stonedrill backdoor, the group also uses the Notestuk backdoor, which opens access to files on the attacked system, and the customized AutoIt backdoor. Along with proprietary tools, attackers also use software purchased on the black market, including Remcos Trojans, DarkComet, Quasar RAT, etc.

2018

Iran has prepared the foundation for large-scale cyber attacks on Europe and the United States

Iranian hackers have prepared the foundation for large-scale cyber attacks on the state infrastructure of the United States and European countries, NBC reported in July 2018, citing a number of American officials^[20].

We are talking about DoS attacks on electricity grids, hydroelectric power plants, health organizations and technology enterprises in the USA, Germany, Great Britain, as well as other countries in Europe and the Middle East.

According to the interlocutors of the resource, although Iran is preparing to carry out hacker attacks, there is currently no evidence that they will be carried out in the near future. Nevertheless, due to the risk, the United States is taking measures to strengthen cybersecurity, as well as warning allies and studying methods of responding to cyber threats. It is currently unclear whether the options under consideration include proactive cyber attacks on Iran.

In turn, the press secretary of the Iranian permanent mission to the UN, Alireza Mirusefi, said that "Iran does not intend to enter into any cyber war with the United States."

"Honestly, from our point of view, the United States can use its own suspicions as a possible justification for a cyber attack against Iran," the spokesman said.

Iranian authorities announced US plans to attack Iran in cyberspace

According to the head of the Iranian Civil Defense Organization, Major General Golyam Reza Jalali, after the conclusion of the nuclear agreement (the so-called Joint Comprehensive Action Plan), the United States launched projects like Nitro Zeus in cyberspace. This indicates a shift in the United States from real attacks to cyber attacks, said Major General^[21].

"Judging by the recent comments of the US Secretary of State, they (the American authorities - ed.) Retained their cyber tools and, if necessary, use them against us," the Iranian edition of Mehr quotes Jalali.

According to Jalali, due to the computerization of the country, Iran has become susceptible to cyber attacks. The energy sector is the most vulnerable, Major General noted.

In March 2018, the US government imposed sanctions on nine Iranian citizens and the Mabna Institute. The reason was the hacker attacks attributed to them by the American authorities. According to Washington, cybercriminals have been operating since 2013 in the interests of the Islamic Revolutionary Guard Corps, the ^[22]..

2017

US Justice Department links HBO hack to Iran

By the end of 2017, the US Department of Justice intends to announce several criminal cases against Iranian citizens, including those accused of hacking HBO. The^[23].

According to The Washington Post, citing informed sources, last month the US Department of Justice instructed prosecutors to take a closer look at the ongoing investigations against Iran or its citizens in order to publicize the cases. The decree raised concerns among ministry officials, the sources said. Some fear it could be linked to new sanctions the US Congress intends to impose on Iran. In addition, publicizing cases can make it much more difficult to catch criminals.

One of the above investigations concerns cyberattacks on HBO. The American TV channel was subjected to several hacks, and the most serious of them were recorded in July and August 2017. As a result of cyberattacks, attackers managed to steal 1.5 TB of data from HBO, including scripts for episodes of the television series Game of Thrones that had not yet been released and electronic correspondence from the channel's management. The purpose of the hackers was blackmail - they demanded money, otherwise threatening to publish the stolen materials.

Whether the TV channel fulfilled the conditions of the criminals is unknown. However, one of the hackers provided evidence that the company was trying to offer them money as a "bug bounty."

Iranian hackers involved in cyber attack on British parliament

The attack on the letterboxes of UK MPs, including Theresa May, in June 2017 is the work of Iranian hackers. This was reported by The Telegraph, citing knowledgeable sources^[24].

Recall that at the end of June, the UK parliament was subjected to a long cyber attack that lasted more than 12 hours, during which attackers compromised the order of 90 parliamentarians' email accounts. Initially, "Russian" hackers were suspected of the attack, but now the British intelligence services have concluded that Iran is behind the incident. This is Tehran's first significant cyber attack on the UK, the newspaper notes.

As part of the attack, hackers have repeatedly attempted to identify "weak" email passwords for politicians and their aides. As a precaution, Parliament's IT specialists blocked external access to the system, leaving British parliamentarians unable to access their electronic boxes. In total, the attackers compromised 9 thousand accounts.

The attackers' motives are unknown, but experts believe that the Iranian Islamic Revolutionary Guard Corps (IRGC), which used cyber weapons to undermine Iran's nuclear treaty with the West, may be involved in the cyber attack.

2015: Iran wages covert cyber war against Europe and Israel

Experts from Trend Micro reported in the spring of 2015 about the Woolen-GoldFish malicious campaign against Israeli and European organizations, carried out by "state" hackers from the Rocket Kitten group^[25].

Compared to previous attacks, in which attackers distributed GHOLE malware using Office attachments in phishing emails, the current campaign is much more deliberate.

First, phishing emails are now more convincing and less suspicious. Secondly, instead of a malicious attachment, attackers began to use a link to a file in Microsoft OneDrive named Iran's Missiles Program.ppt.exe. According to experts, such tactics bypass the email security system. The executable downloads a variant of the CWoolger keyboard spy to the victim's system, "not as complex as his contemporaries," experts say.

Trend Micro suggests that the author of the keylogger, who calls himself Wool3n.H4t, is associated with Iran. The researchers found that a user with this pseudonym owns an inactive blog on a free Iranian service. In addition, the Wool3n.H4t turned out to be registered on several Iranian underground hacker forums. The blog has published only two posts signed by Masoud_pk. Experts suggest that Masood (one of the 50 most common names in Iran) may be the real name of the developer CWoolger. Recently, many countries have begun to pay special attention to the hidden war on the Web. It is only alarming that they blame each other mainly on countries that are at war with each other or have any tensions. It is not excluded that this is done to add fuel to the fire.