There's Evidence the 'Yemen Cyber Army' Is Actually Iranian

In the last few weeks, a new hacking group called the Yemen Cyber Army came out of nowhere in the Middle East. Its first feat was hacking and defacing pro-Saudi website Al Hayat in April, but just a month later, the group scored a much bigger target: Saudi Arabia's Ministry of Foreign Affairs.

On May 20, the Yemen Cyber Army hacked the ministry's website and servers, and began posting some alleged stolen internal documents online. This hack granted the group widespread notoriety, and last week, WikiLeaks started publishing the more secret documents from the trove, without disclosing explicitly whether the Yemen Cyber Army was the source of the leak.

Several security experts, however, have doubted that the hackers are really from Yemen, speculating it's more likely that they are Iranian, perhaps even sponsored by Iran's government, given that Yemen has little experience in the hacking realm, and that the attack came on the heels of a series of other attacks by alleged Iranian hackers against Saudi targets.

Now, researchers have found clues that seem to prove the Yemen Cyber Army group is just a front for Iranian hackers, perhaps the mysterious Iranian Cyber Army, and might even be comprised of some of the same hackers that hit the oil giant Saudi Aramco in 2012, wiping 30,000 company computers in a cyberattack that was unprecedented for its destructiveness.

At the time, those hackers called themselves the "Cutting Sword of Justice." That very same expression was used by the Yemen Cyber Army in a message uploaded on Pastebin bragging about the hack on Saudi's Ministry of Foreign Affairs.

That's perhaps the most intriguing, and revealing, clue found by Recorded Future, a web intelligence firm backed by Google and the CIA, which published a report on the group on Friday.

"Somebody put that there for a reason," Recorded Future's founder and CEO Christopher Ahlberg told Motherboard.

In fact, before the attack on the Saudi Ministry of Foreign Affairs, that phrase, be it in English, Farsi, or Arabic, only appeared online in connection to the attack on Saudi Aramco, also known as the Shamoon attack, according to Ahlberg.

simulacra deorumJune 22, 2015

But there are other clues, according to Recorded Future's report. The Yemen Cyber Army posted some of the stolen documents on a Pastebin-like website registered in Iran, QuickLeak.ir. The site, according to Ahlberg, is used by very few hackers except for Iranian ones, such as Parastoo.

Moreover, the first media outlet to report on the Yemen Cyber Army's activities, including the hack on Saudi's Ministry of Foreign Affairs, was the Fars News Agency, a semi-official Iranian media outlet.

Over the last few months, Fars became the "mouthpiece" of the Yemen Cyber Army, according to Recorded Future's report.

"It's far and away the most prominent source outside of social media posts to report on the [Yemen Cyber Army's] activities," the report read, noting that Fars refers to its reports on the hacking group as exclusives.

One of Fars's latest reports on the group almost reads like a Yemen Cyber Army press release, Ahlberg said, pointing to language that encourages readers to read leaked Saudi documents such as "please click the file below."

Lastly, Ahlberg also noted that the Yemen Cyber Army, despite acting like an hacktivist group, doesn't have any presence on social media, unlike other nationalist hacking groups such as the Syrian Electronic Army or the Egyptian Cyber Army.

Ahlberg admits that this is all circumstantial evidence, and there's no real smoking gun, but all these clues suggest that "we're looking at the same crew coming back again under another name"—the mysterious Iranian Cyber Army.

Some cybersecurity experts in the region, as reported by Buzzfeed News, seem to agree.

"The Yemen Cyber Army—we believe—is just a front name for offensive cyber activities of Iranian units," Abdullah AlAli, the CEO of Cyberkov, a security firm based in Kuwait, told Motherboard.

Others, however, aren't sold. Amin Sabeti, an Iranian researcher based in London who has tracked the so-called Iran Cyber Army in the past, told Motherboard that he's "skeptical," as "Iranian hackers are good at social engineering and phishing but they are not very good in at sophisticated attacks," such as the one against the Saudi Ministry of Foreign Affairs.

But for AlAli, Yemen Cyber Army's activities share similarities with previous Iranian cyberattacks against Saudi Arabia labelled Operation Cleaver. All these attacks have to be seen as an extension of the ever simmering tension between Saudi Arabia and Iran.

"The conflict between Saudi and Iranian actors online has been going on for years, always on sectarian lines (Sunnis vs. Shiites)," Helmi Noman, a senior researcher at Citizen Lab, an internet watchdog at the University of Toronto's Munk School of Global Affairs, told Motherboard in an email.

This "low key cyber battle," as Ahlberg put it, is just the latest chapter, made up of Twitter account takeovers, website defacements and, in the case of the Saudi Ministry of Foreign Affairs, a high-profile hack.