Who is Behind Pro Ukrainian Cyberattacks on Iran

I’ve long, long, long been skeptical of these so called hactivist groups- This goes back better than a decade ago to, absurdly named, “anonymous” hactivist group. There are reports at my censored blog on this topic.

You can read entirely at the link

Nebula Hits an Unexpected Target

It’s not likely this is an unexpected target, it would seem to me that the group would have intentionally targeted Raykasoft with the intent to breach their systems

On Oct. 28, Nebula posted screenshots of its breach of Raykasoft, an Iranian company specializing in medical software. While the breach isn’t sophisticated — the group somehow obtained root and is deleting backups and file systems with “rm -rf –no-preserve-root” — the message they left, which directly references Iran, is unusual. The message begins:

“Iran, you’ve overstepped your bounds and you’re getting involved in conflicts that do not concern you. As a result, we’ve dropped medical databases containing over 10TB worth of data between several critical servers. We’ve also destroyed these servers as well. Raykasoft has proved they can’t secure medical data.” Link to message image

The IT Army of Ukraine has made it a point to target only Russian and Belarusian assets, no doubt to avoid upsetting Western backers that are providing significant military aid. Some Western companies still doing business in Russia are anecdotally targeted, but this has been attributed more often to Anonymous rather than official Ukrainian cyber forces, whose official stance is to focus on Russia.

The “conflicts that doesn’t concern you” in Nebula’s message refers to the military support Iran has been providing Russia, mainly Shahed drones that have been raining down on Ukrainian cities for over a year and caused untold suffering for the civilian population.

Who Is Nebula?

So, who is this group exactly? On Nov. 17, Nebula accidentally leaked one of its operational IP addresses in screenshots of its recent breach of Russian software company

In an almost nightmarish scenario for any infosec professional, the screenshots show a half-dozen Meterpreter shells Nebula has open in Insoft’s infrastructure. (Meterpreter is a Metasploit payload that can be used to download and upload files, run code, and open a command shell.) The source IP is blocked out … but not very well.

Link to image

Looking carefully, it appears the source IP looks like or Scanning both with nmap shows with an open Cobalt Strike beacon on port 4445 running, so that’s the likely one. These IPs are owned by LimeNet out of the Netherlands — but in cyberspace, attribution is a difficult thing, so that means little.

Looking at the evidence, it’s unlikely that Nebula, while effectively being pro-Ukrainian, is controlled by the SSSCIP or the IT Army of Ukraine. That it would go after a medical target isn’t aligned with the IT Army of Ukraine’s philosophy.

While effectively being pro Ukrainian, the target isn’t aligned with the IT Army of Ukraine’s philosophy-

Doubtful this is a so called pro Ukrainian group- Not being aligned with their so called philosophy- So, who, which nation, is behind this?

2 replies on “Who is Behind Pro Ukrainian Cyberattacks on Iran”

Leave a Reply