October 3, 2024 | The Cipher Brief
Iranian Cyber Operations Raise Fears of Attacks on Military Personnel
October 3, 2024 | The Cipher Brief
Iranian Cyber Operations Raise Fears of Attacks on Military Personnel
“You and your children … are our legitimate targets around the world,” an X account called @idfleaks threatened in December 2023, addressing service members from the Israel Defense Forces (IDF). This account and its affiliated network of internet domains and related entities have released detailed personal information about thousands of Israeli troops and their families. While the “IDFLeaks” campaign claims to be the work of independent hackers, or ‘hacktivists,’ it was likely the work of Iran, which often masquerades as different hacktivist organizations to obscure its involvement in cyber operations.
Hacktivists, cybercriminals, and even nation-states have previously exposed the personal information of military service members, a form of intimidation known as ‘doxxing.’ The exposed data includes phone numbers, physical addresses, ID numbers, family members, and other information to threaten or harass them. In 2015, for example, pro-ISIS hackers published “kill lists” doxxing U.S. government and military personnel. IDFLeaks is noteworthy, however, because of its scale and the systematic way it collected, synthesized, presented, and distributed the information.
The IDFLeaks campaign has disseminated over 2,200 comprehensive dossiers on Israeli Air Force (IAF) personnel branded with the logo of Hamas’s military arm, the Izz al-Din al-Qassam Brigades. An Israeli security source attributed the dossiers to Hamas, according to a joint investigation by Haaretz and four other media outlets. While Hamas operatives may indeed have collated the information, the method of distribution bears Iranian fingerprints.
IDFLeaks’ 2,200 dossiers are distinctive because they synthesize stolen or ‘breach’ data with information from public social media, thus amplifying the risk to the dossiers’ targets. This is a new and dangerous tactic that not only Iran, but also other adversaries could deploy against U.S. military personnel. Cybercriminals regularly steal large volumes of Americans’ personally identifiable information, which one can often find for sale on criminal markets on the clear and dark web. As such, the U.S. Department of Defense (DoD) needs to expand its focus beyond preventing exposure of personal information from DoD systems. The IDFLeaks campaign serves as a cautionary tale for the DoD. By providing stronger best practices for personal social media use and monitoring third party data breaches for personnel exposure, the DoD can better defend servicemembers against sophisticated doxxing threats like the IDFLeaks campaign.
Contents of the Dossiers and How Hamas Gathered Information
Hack-and-leak operations — in which cyber operators pilfer and then release confidential information — often dump large amounts of raw data on public websites or social media platforms. The resulting mass of data is often difficult to parse. IDFLeaks, by contrast, sorted and organized the collected information to create comprehensive, structured files that other malicious actors could easily use to intimidate victims, launch cyberattacks, commit fraud or identity theft, or even threaten physical violence. While there have been no known instances in which malicious actors used IDFLeaks dossiers to launch follow-on operations, hackers have used past data breaches to harass Israeli citizens and soldiers online.
Each of the dossiers lists the person’s name, base or unit, military position, I.D. number, phone number, email address, social media accounts, and family members. In some cases, the victim’s passwords, license plate, and credit card and bank information were also disclosed. The dossier headers include logos from Hamas’ Izz al-Din al-Qassam Brigades, and the footers describe IAF personnel and their families legitimate military targets.
According to the aforementioned investigation by Haaretz and its partners, Hamas likely gathered the underlying information in the dossiers as part of routine intelligence-gathering operations and not necessarily with the initial intent to doxx Israeli soldiers. It appears that Hamas operatives mined information from social media and public databases along with data stolen and leaked by suspected Iranian actors and cybercriminals. At no point, it seems, did Hamas compromise any IDF information system. The Haaretz-led investigation also posited that Hamas used a profiling tool that automatically collected and aggregated open source information to create detailed profiles on each service member included in the dossiers.
How IDFLeaks Disseminated the Dossiers
IDFLeaks disseminated the dossiers using a network of websites, social media and messaging platforms, and cybercriminal forums. This IDFLeaks network began disseminating the dossiers in mid-December 2023, and other hacktivist groups then promoted the case files for months, continuing into early 2024.
The actors behind the IDFLeaks campaign created its main website, IDFLeaks[.]info, on December 11 and immediately began posting the dossiers. To create this domain, they used legitimate, commercial internet infrastructure. The operators created two additional domains, idf[.]pics and idfinfo[.]pw, presumably as backups in case any social media platform banned the primary IDFLeaks domain.
On December 17, the network created accounts on a series of hacking forums and began posting the dossiers there. These forums included Cracked[.]io, Crackingx[.]com, Breachforums[.]st, and Nulled[.]to. While Nulled[.]to banned the IDFLeaks accounts for spreading “spam,” IDFLeaks continued to post on others. In mid-April, the network posted the dossiers again on Breachforums[.]st, BHF[.]pro, and Leakbase[.]io, urging fellow forum members to “please share the files with others.”
IDFLeaks also used social media and messaging platforms to distribute its content. The IDFLeaks network includes one central X account as well as a YouTube channel.Both remain live, but the X account last posted in December 2023, and, as of August 2024, no publicly available videos have been posted to the YouTube account. The network also included an automated bot on Telegram that is now inactive. In addition, the network operates one account on Eitaa, an Iranian Telegram-style messenger allegedly sponsored by Tehran. In addition to the official IDFLeaks Eitaa channel, a separate Eitaa channel, “Nezamitarinn,” was an early promoter of the IDFLeaks content and reposted links to the IDFLeaks Eitaa account. Nezamitarinn is explicitly pro-regime. The channel’s profile picture is an image of Qassem Solmeini, the late commander of the Quds Force, the expeditionary arm of Iran’s Islamic Revolutionary Guard Corps. The channel’s profile description mentions the Iranian “resistance front.” The use of Eitaa indicates the actors behind IDFLeaks wanted to reach Iranian audiences, as Eitaa is not commonly used outside Iran.
After IDFLeaks initially seeded the dossiers on cybercriminal forums, social media, and messaging platforms, hacktivist groups amplified the material. On Telegram, in particular, Russian-language malware forums and other cybercrime discussion groups shared the dossiers. The most active group amplifying the case files is a new hacktivist organization named “Hunt3r Kill3rs,” which posted all six of the IDFLeaks zip files on Telegram on May 6.
While claiming to be a Russian hacktivist group, Hunt3r Kill3rs has primarily focused on Israeli targets since it became active in April 2024. The group may in fact be Iranian. Hunt3r Kill3rs regularly amplifies content from Cyb3rAv3ngers, a group the U.S. government has determined to be affiliated with Iran’s Islamic Revolutionary Guard Corps. In addition, Hunt3r Kill3rs is known to have compromised Unitronics programmable logic controllers, the same industrial control equipment that Cyb3rAv3ngers hacked in cyber operations targeting numerous small water utilities across the United States late last year. Finally, Iranian hacktivist fronts, like many other hacktivist groups, tend to change E’s to 3’s to imitate leetspeak, a form of modified English spelling common among hackers and gamers.
Who Is Behind the IDFLeaks Campaign?
While the IDFLeaks campaign claims to be an authentic hacktivist effort and uses many tools common to hacktivists, the group’s goals, infrastructure, and tactics, techniques, and procedures (TTPs) point to Iran. Nation-state threat actors often claim to be hacktivist groups to obfuscate their identity and maintain plausible deniability. Iranian operators, in particular, have masqueraded as hacktivist organizations to conduct cyberattacks and influence operations. While it is possible that IDFLeaks is an entirely Hamas-run operation, the terrorist organization has no significant history of running such complex operations. Instead, Hamas likely created the dossiers while Iran set up the distribution and amplification network.
Common hacktivist tools used by the IDFLeaks network include a README file, the anonymous email services Onionmail and DNMX, and the encrypted messaging services TOX and Session. Hacktivists and cybercriminals commonly use README files to convey additional information or context about their operations — for example, including a README file as a ransom note. IDFLeaks used a README file to add written context to its dossiers, noting that its dossiers reveal “hidden truths about the Israeli devil forces (IDF) [sic].” The README file shared by IDFLeaks included contact information for Onionmail, DNMX, TOX, and Session.
Similarly, while hacktivists often conduct hack-and-leak operations, nation-states also regularly conduct these operations. When Iranian state-backed cyber actors engage in hack-and-leak operations, they do so almost exclusively under the guise of hacktivism. Iranian-backed cyber actors claiming to be hacktivists have conducted hack-and-leak operations against Saudi Arabia and the United States, but they most often target Israel. Most recently, an Iranian hack-and-leak operation targeted the Israeli delegation to the 2024 Olympics under the guise of a hacktivist front.
More significantly, the network infrastructure used in the IDFLeaks campaign points to Iranian involvement. While the involvement of Hunt3r Kill3rs and the use of the messaging platform Eitaa are notable, the technical details of the domain registration and hosting provide more evidence. The IDFleaks[.]info website is hosted on a server owned by OneProvider, a Canadian company owned by BrainStorm Network providing web hosting and server renting services. OneProvider primarily rents out dedicated servers, meaning that a single individual or organization rents or buys all the hosting space on that physical or virtual server . The server hosting the IDFLeaks website hosts only a small number of domains, all of which are similar to each other. This contrasts with shared or cloud-based hosting services such as Amazon Web Services or Cloudflare, which host hundreds or thousands of domains simultaneously. The operators of IDFLeaks may have bypassed BrainStorm Network’s know-your-customer (KYC) procedures by providing false information. But action by government authorities to subpoena or request information from BrainStorm Network might provide more conclusive evidence as to who is behind the IDFLeaks campaign.
The website also used a so-called dark web “onion domain” for backup hosting so that the website would be accessible via the TOR browser. This is significant because hacktivists and cybercriminals also often use onion domains to obscure the IP address of the server hosting the domain, making it more difficult for law enforcement to identify and seize it. Iranian actors have utilized onion domains to avoid takedowns and identification of host servers in multiple past operations, such as the hack-and-leak operation against the Israeli Olympic delegation.
Finally, the manner in which the operators seeded and propagated the network’s content also indicates involvement by a sophisticated threat actor. The IDFLeaks operation appears to have involved domain hijacking, a tactic in which hackers redirect traffic on legitimate websites to malicious websites. Seemingly legitimate websites that appear to have historically linked to idfleaks[.]info include chonburiisuzu[.]com, a website for a Thai car dealer, aguda90.co[.]il, an Israeli website meant to help young people not participating in military service discover volunteer opportunities, and viptekgroup[.]com, a Turkish company offering floormat installation. These and other hijacked websites would have provided the operators of the IDFLeaks campaign a way to more easily promote its website on mainstream social media platforms: If a platform banned idfleaks[.]info, the campaign could instead link to the hijacked site. This was a real risk the operation faced given that numerous security vendors and researchers flagged the domain as engaging in malicious or spam activity. While the IDFLeaks campaign does not appear to have used the hijacked websites in this way, the tactic speaks to a level of forethought in the operation’s planning.
Moreover, the way in which the dossiers were posted, distributed, and amplified suggests careful coordination. Hamas has previously carried out several cyber operations targeting Israel, but none were as sophisticated as the IDFLeaks campaign. The terror group’s hack-and-leak and broader influence operation capabilities do not compare to those of Iran.
Recommendations to Defend U.S. Service Members From Doxxing Campaigns
Over the past decade, hackers have breached tens of thousands of companies and stolen the personal data of hundreds of millions of Americans, including U.S. military personnel. Because the U.S. military permits service members to use social media in a personal capacity, adversaries may be able to enrich breach data with information from social media to create dossiers on U.S. military personnel, as did the IDFLeaks campaign. Notably, a malicious actor can carry out all of this activity without ever compromising military information systems themselves. The DoD and other federal agencies should better monitor breach data, improve cybersecurity guidance to service members, and bolster secure internet infrastructure to mitigate the threat posed by doxxing operations against U.S. service members.
- Survey breach data to determine exposure of U.S. service members and DoD systems.
The DoD should conduct an in-depth and ongoing survey of publicly released breach data to determine the exposure of U.S. service members. Current DoD policy focuses on informing servicemembers of breaches of their personal information when exposed via DoD systems or DoD-contracted service providers. Expanding this policy to encompass broader breach monitoring would enable the department to alert service members to individual security and privacy risks. It would also provide DoD with a better understanding of the risks to its own information security, as servicemembers exposed in third-party breaches could have their credentials or personally identifiable information used to compromise DoD systems through targeted phishing attacks. Monitoring breach data can help DoD mitigate this risk.
- Refine DoD guidance on personal social media use and cybersecurity best practices to mitigate threats to U.S. service members.
DoD should review and refine policies to provide more robust guidelines about the use of social media by active-duty military personnel to prevent threats to U.S. service members such as doxxing and cyber-attacks. Current guidelines focus on operational security by warning against posting information about troop movements, deployments, and other mission-related information. Given that cyber-attackers can leverage social media to gather personal information to enrich breach data, DoD should provide more comprehensive guidelines to help service members limit their exposure. Guidelines could include measures such as mandating the use of a password manager and multifactor authentication for personal accounts, recommending the use of physical security keys and data breach monitoring services, making profiles private, using full or partial pseudonyms, and not sharing personal information such as home addresses, birthdays, and the names of family members.
- Work with allies and partners to improve know-your-customer and vetting regulations for internet infrastructure providers.
The U.S. government as a whole should promote a more responsible internet infrastructure ecosystem. Executive Order 13984, issued in January 2021, mandates that American Infrastructure-as-a-Service (IaaS) providers (both hosting and other service providers) verify the identity of foreign customers to prevent misuse. In January 2024, the Commerce Department proposed a rule that would require all U.S. IaaS providers and foreign resellers to monitor foreign accounts on an ongoing basis to prevent the misuse of their infrastructure by malign cyber actors. However, hackers (including hack-and-leak operators) can operate exclusively outside America’s borders, thus bypassing such requirements. The U.S. government, through the State Department’s Bureau of Cybersecurity and Digital Policy, should work with European and other allies to strengthen know-your-customer and vetting processes for all IaaS providers within their jurisdictions.
Conclusion
Iranian cyber operations pose a significant threat. Iranian hackers have become more brazen in past months, targeting not only Israelis but also American political campaigns. The IDFLeaks campaign is just one example of how Iran or other malicious actors can combine cyber, psychological, and influence operations. Taking proactive steps to mitigate doxxing threats to military personnel can shore up defenses against not only Iran, but also more capable adversaries, such as China or Russia, undermining their ability to launch large-scale operations against U.S. service members.
Appendix: Indicators of the IDFLeaks Campaign
The following indicators may aid other researchers in their investigation of the IDFLeaks campaign.
Type | Indicator |
x[.]com/idfleaks | |
Forum Profile | nulled[.]to/user/6007603-idfleaks |
Forum Profile | https://leakbase[.]io/members/idfleaks.60020 |
Youtube Account | www.youtube[.]com/@IDFLeaks |
Eitaa (Messaging) | eitaa[.]com/idfleaks |
Eitaa (Messaging) | eitaa[.]com/nezamitarinn |
Domain | idfleaks[.]info |
Domain | idfinfo[.]pw |
Domain | idf[.]pic |
IP Address | 37.143.129[.]182 |
IP Address | 31.14.115[.]152 |
Certificate | 5f8b29c0cf898ed4f92cba7a700a1031f2a16f646b64b5c31ffda493a1aac436 |
Certificate | D285088E8ED733F5167CE824207926BE0F418B09F9D131EC8DEB226A701E6655 |
Domain | wildideamarketing[.]net |
Domain | digi-baman[.]com |
IP Address | 213.142.130[.]227 |
Domain | chonburiisuzu[.]com |
Domain | calechedor[.]xyz |
Domain | staticpanis[.]xyz |
Domain | servp[.]xyz |
Domain | aguda90[.]co.il |
Domain | viptekgroup[.]com |
Telegram Channel | t[.]me/Hunt3rkill3rs1 |
Ari Ben Am is an adjunct fellow at FDD’s Center on Cyber and Technology Innovation. His research focuses on emerging threats, influence and information operations, cyber operations, and hybrid warfare. Max Lesser is the senior analyst on emerging threats at FDD’s Center on Cyber and Technology Innovation, where his research focuses on countering foreign malign influence operations.