--- title: "Who is Behind Pro Ukrainian Cyberattacks on Iran" type: "post" post_id: "5408" slug: "who-is-behind-pro-ukrainian-cyberattacks-on-iran" canonical: "https://pennyforyourthoughts2.ca/2024/01/10/who-is-behind-pro-ukrainian-cyberattacks-on-iran/" markdown_url: "https://pennyforyourthoughts2.ca/2024/01/10/who-is-behind-pro-ukrainian-cyberattacks-on-iran.md" json_url: "https://pennyforyourthoughts2.ca/2024/01/10/who-is-behind-pro-ukrainian-cyberattacks-on-iran.json" txt_url: "https://pennyforyourthoughts2.ca/2024/01/10/who-is-behind-pro-ukrainian-cyberattacks-on-iran.txt" published: "2024-01-10T21:18:55+00:00" modified: "2024-01-10T21:18:55+00:00" author: "penny2" categories: - "Uncategorized" tags: - "Iran" - "NATO" - "Ukraine" site_name: "PFYT2" publisher: "" language: "en-US" generator: "easyPress Markdown" generator_version: "1.0.6" --- **I’ve long, long, long been skeptical of these so called hactivist groups- This goes back better than a decade ago to, absurdly named, “anonymous” hactivist group**. **There are reports at my censored blog on this topic.** You can read [entirely at the link](https://www.darkreading.com/cyberattacks-data-breaches/who-is-behind-pro-ukrainian-cyberattacks-iran) #### Nebula Hits an Unexpected Target **It’s not likely this is an unexpected target, it would seem to me that the group would have intentionally targeted Raykasoft with the intent to breach their systems** > On Oct. 28, N**ebula posted screenshots of its breach of Raykasoft, an Iranian company specializing in medical software**. While the breach isn’t sophisticated — the group somehow obtained root and is deleting backups and file systems with “rm -rf –no-preserve-root” — the message they left, which directly references Iran, is unusual. The message begins: > ***“Iran, you’ve overstepped your bounds and you’re getting involved in conflicts that do not concern you. As a result, we’ve dropped medical databases containing over 10TB worth of data between several critical servers. We’ve also destroyed these servers as well. Raykasoft has proved they can’t secure medical data.”*** [Link to message image](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt01079d5ea73e975a/659d8adf984e23040a4188b0/Nebula-statement.PNG?width=700&auto=webp&quality=80&disable=upscale) > **The IT Army of Ukraine has made it a point to target only Russian and Belarusian assets, no doubt to avoid upsetting Western backers that are providing significant military aid**. Some Western companies still doing business in Russia are anecdotally targeted, **but this has been attributed more often to Anonymous** rather than official Ukrainian cyber forces, whose official stance is to focus on Russia. ***The “conflicts that doesn’t concern you”*** in Nebula’s message refers to the military support Iran has been providing Russia, mainly [Shahed drones](https://en.wikipedia.org/wiki/HESA_Shahed_136) that have been raining down on Ukrainian cities for over a year and caused untold suffering for the civilian population. Who Is Nebula? -------------- > So, who is this group exactly? On Nov. 17, Nebula accidentally leaked one of its operational IP addresses in screenshots of its recent breach of Russian software company Insoft.ru. > > In an almost nightmarish scenario for any infosec professional, the screenshots show a half-dozen [Meterpreter shells](https://www.darkreading.com/cyberattacks-data-breaches/new-tool-exposes-stealthy-metasploit-hack) Nebula has open in Insoft’s infrastructure. (Meterpreter is a Metasploit payload that can be used to download and upload files, run code, and open a command shell.) The source IP is blocked out … but not very well. [Link to image](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte54aabf41ba703ef/659d8b43ff2676040adc3617/Meterpreter-sessions.PNG?width=700&auto=webp&quality=80&disable=upscale) > Looking carefully, it appears the source IP looks like 91.92.246.69 or 91.92.246.89. Scanning both with nmap shows 91.92.246.69 with an open [Cobalt Strike](https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network) beacon on port 4445 running, so that’s the likely one. These IPs are owned by LimeNet out of the Netherlands — but in cyberspace, attribution is a difficult thing, so that means little. > Looking at the evidence, it’s unlikely that Nebula, **while effectively** **being pro-Ukrainian,** is controlled by the SSSCIP or the IT Army of Ukraine. **That it would go after a medical target isn’t aligned with the IT Army of Ukraine’s philosophy.** **While effectively being pro Ukrainian, the target isn’t aligned with the IT Army of Ukraine’s philosophy-** **Doubtful this is a so called pro Ukrainian group- Not being aligned with their so called philosophy- So, who, which nation, is behind this?**