The alleged HBO hacker and Iranian national Behzad Mesri, from the FBI’s Most Wanted page.
The feds have unsealed an indictment on whom they believe was behind the cyberattack on HBO that led to the leak of Game of Thrones episodes and actors’ personal data, amongst other information from the television giant. The blame has been placed upon a 29-year-old Iranian international Behzad Mesri, who was said to have tried to extort HBO for $6 million in Bitcoin. He now sits on the FBI’s Most Wanted list.
The most astonishing piece of the Department of Justice’s indictment was the claim (one that comes with no evidence or additional data) that Mesri had “worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems and Israeli infrastructure.” That would hint the DoJ believed Mesri to be a serious operator in one of an increasingly sophisticated numer of Iranian cyberwarfare specialists.
But according to two experts on Iranian cyberwarfare, there’s little evidence from the online activity linked to his various names and affiliations that Mesri was the most sophisticated actor. His work was largely part of a hacktivist group called Turk Black Hat Security team, using the moniker Skote Vahshat, the DoJ said. They defaced a significant number of websites (hundreds, according to the DoJ), most likely using a type of attack targeting websites’ databases, a common technique known as SQL injection, said Collin Anderson, a Washington D.C.-based researcher working on a report on Iran cyberwarfare for Carnegie Mellon.
Much of their work can be found on Zone-h.org, where hackers show off their defacement work, such as in the image below.
The Turk Black Hat crew defaced hundreds of websites, according to the DoJ. The feds believe the same Iranian who hacked HBO was part of the group.
It appeared Mesri may have had poor operational security. Forbes found his name on domain records for the hacker crew’s website, the same as linked in the defacement above. Forbes found old domain records for turk-bh.ir that listed a Behzad Mesri, alongside Gmail address email@example.com, in the registration details. It also listed an address in Naghadeh, Iran. (Forbes attempted to contact the user of that email address and another associated with Mesri and the Turk Black Hat website, but had not received a response at the time of publication).
Anderson told Forbes he also found Mesri’s page on PersianGig, an Iranian website typically used to share any content they wish. In the case of Mesri, Anderson told Forbes he’d uploaded a number of hacking tutorials for the likes of SQL injection and other technically basic or “script kiddie” attacks.
As for what the indictment reveals about the HBO attack, the feds claimed Mesri had scanned the broadcaster’s network for points of entry where employees could login remotely. The government claimed he was able to obtain passwords for those logins between May and July this year, allowing him access to internal systems storing data on not just Game of Thrones, but big-name shows like Curb Your Enthusiasm and The Deuce. He then sent threatening emails demanding $6 million in bitcoin, otherwise more data would be leaked, signing off one with an image of the Game of Thrones character the Night King.
The HBO hacker signed off one email to the TV giant with an image of the Night King character from Game of Thrones.
But even that hasn’t amazed onlookers about the ostensible level of sophistication of the alleged HBO hacker. “We’re not seeing any reason to believe this guy was particularly elite hacker,” added CrowdStrike head of security research Adam Meyers.
An HBO spokesperson said in a statement: “HBO has confirmed in the past that we were working with law enforcement from the early stages of the cyber incident. As far as the criminal case is concerned, we prefer to leave any comments to the U.S. Attorney’s Office.”
Script kiddies turn government contractors
Meyers said many in the Iranian hacking scene, in the past couple of years, had moved from online forums to professionalization, including a group known as ITSec Team, a company accused of helping hack a small dam in America in 2015. From his research, it appeared to Meyers that the accused was one of the “non-professionalized actors.” Anderson, however, suggested it may be Mesri was able to professionalize. “It wouldn’t surprise me if this was another example of this trend going on.”
He also wondered about the motivations of the U.S. government to allege Mesri worked with the Iranian military on cyber operations without more substantive evidence. “I think it’s political, in order to increase the perception this person is an operator… and might be of more substantial interest,” Anderson added. “Who is the audience for this indictment and to what purpose?
“Is this aligned with what we see in non-cyber related issues, an overall increase in the pressure that’s being applied for its more malicious activities?
“I think one thing that keep remind – this person being present in Iran doesn’t mean the HBO hack was orchestrated by Iran government. Iran isn’t North Korea.” North Korea, another nation of increasing concern to the White House, was blamed for the catastrophic cyberattack that hit another major production house in 2014, Sony Pictures.
Iran has been involved in some major cyber incidents of late. Forbes recently revealed hackers linked to the regime had created a convincing fake profile on Facebook that tricked a Deloitte employee into running malware on his work PC. Iran has also been linked to wide ranging cyberespionage operations across the Middle East with a group known as OilRig.