CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team.
| Report Type | Threat Actor Profiling |
| Research Subject | Threat Actor Handle: Shield Iran Security Team |
| TLP# | AMBER |
| Reference | #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team.
- Posts made by the threat actor handle, Amo Changiz, on an English language cybercrime forum, target regions such as UAE, Kurdistan, Nigeria, Indonesia, Israel, and Brazil.
- Further analysis revealed that the actor is part of Shield Iran Security Team, which has a total of 8 members.
Underground Profile : Shield Iran Security Team
| Threat actor handle | Amo Changiz |
| Hacker Group | Shield Iran Security Team |
| Forum | RaidForums |
| Registration date on the forum | 13 December 2021 |
| Contact information (Based on the forum activity) | Telegram.Me/ChangizAmoTelegram.Me/TheHackingsTelegram.Me/Shield_DAtabase |
| Team members in the group | Nazila Blackhat Iliya Norton [email protected] Milad Hacking Sir.4m1r - Byp4sser HosseinKiA Ahwaz_Hackerz ChangizAmo |
| Website | https://shieldiran.net/ |
Detailed Analysis : Shield Iran Security Team
- On 18 December 2021 a threat actor handle “Amo Changiz” posted a compromised Indonesian government database, on an English language cybercrime forum.
- The post included links that redirect to another cybercrime forum that references the Shield Iran Security Team.
- Shield Iran Security Team is an 8 member cybercrime group that has a huge following on various social media and communication channels. They also have a website that provides tutorials, rootkits, and stealers.
- The group is actively involved in dumping data, belonging to entities across the world, on cybercrime forums, communication channels, and their website.
| Date | Target | Target Region |
| 26 December 2021 | 60,000 passport records | China (Possibly) |
| 26 December 2021 | Amigo.co.il | Israel |
| 24 December 2021 | Kohinoor International School Database | India |
| 13 December 2021 | Passport records (Released in parts) | UAE |
| 19 December 2021 | Nigeria Customs Information Portal Mail Server Backup | Nigeria |
| 18 December 2021 | Kurdistan People Database | Kurdistan |
| 18 December 2021 | Government Backup database of Indonesia | Indonesia |
| 13 December 2021 | City Hall of Banzaê City Council of Banzaê | Brazil |
- Other leaks by the hacker group have targeted crypto and e-commerce websites such as:
- atacado.shop
- cryptofairplay.com
- playyourbet.com
- They also actively post on another forum called zone-h.org, and all their posts are interlinked.
- We discovered mentions of Shield Iran Security Team, on an Iranian website, dating back to March 2020. This indicates that the group has been active for at least 2 years.
- Their goals include maintaining the security of Iranian sites, building malicious software, hacking and training Iranian citizens on cybersecurity.
References
Appendix
