Mysterious hacker strikes Iran with major cyberattacks against industry leading companies

On December 20th, a hacker who goes by the username “irleaks” posted a thread in which they attempt to sell over 160,000,000 records of Iranians from 23 of Iran’s leading insurance companies.

Sales thread on a hacking forum
Sample of the data, provided by the threat actor

The data includes fields such as names, phones, identity numbers, addresses, passport numbers, and other sensitive details.

Hudson Rock researchers confirm that the data appears to be genuine and note that pulling off an attack against this many insurance companies is wildly difficult.

But this breach wasn’t enough for “irleaks”, and on December 30th the threat actor posted another thread in which they claim to have hacked Iran’s largest online food ordering company, SnappFood.

The data that was apparently exfiltrated from the company amounts to a staggering 3 Terabytes, and includes incredibly sensitive details such as

  • 20,000,000 users data (emails, passwords, phone numbers)
  • 51,000,000 user addresses
  • 600,000 credit cards data
  • 180,000,000 device related information

SnappFood has taken notice to the breach and promptly issued a statement claiming they are investigating the attack.

It is worth noting that although the origin of the breach is unknown, Hudson Rock researchers identified a recently compromised employee of SnappFood who had their computer infected with a StealC infostealer.

The infection of this employee’s computer resulted in many sensitive credentials of the organization being accessible to some hackers and may have been used as an initial attack vector against the company.

Data from the infected employee’s computer.

Some of the data includes login details to the company’s Confluence server, Jira server, and other development related URLs.

Additional credentials data identified on the infected computer

The combination of sophisticated attacks launched by a single threat actor against industry leading companies in Iran raises the question if this was a state-sponsored attack.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock

Follow us on Twitter: https://www.twitter.com/RockHudsonRock

Don’t Stop Here

More To Explore

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise