Hacker Group Profile: Shield Iran Security Team

Summary

CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team.

CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team.

Report TypeThreat Actor Profiling
Research SubjectThreat Actor Handle: Shield Iran Security Team
TLP#AMBER
Reference#https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team. 
  • Posts made by the threat actor handle, Amo Changiz, on an English language cybercrime forum, target regions such as UAE, Kurdistan, Nigeria, Indonesia, Israel, and Brazil. 
  • Further analysis revealed that the actor is part of Shield Iran Security Team, which has a total of 8 members. 

Underground Profile : Shield Iran Security Team

Threat actor handleAmo Changiz
Hacker GroupShield Iran Security Team
ForumRaidForums
Registration date on the forum13 December 2021
Contact information (Based on the forum activity)Telegram.Me/ChangizAmoTelegram.Me/TheHackingsTelegram.Me/Shield_DAtabase
Team members in the groupNazila Blackhat Iliya Norton [email protected] Milad Hacking Sir.4m1r - Byp4sser HosseinKiA Ahwaz_Hackerz  ChangizAmo
Websitehttps://shieldiran.net/

 Detailed Analysis : Shield Iran Security Team

  • On 18 December 2021 a threat actor handle “Amo Changiz” posted a compromised Indonesian government database, on an English language cybercrime forum. 
  • The post included links that redirect to another cybercrime forum that references the Shield Iran Security Team. 
  • Shield Iran Security Team is an 8 member cybercrime group that has a huge following on various social media and communication channels. They also have a website that provides tutorials, rootkits, and stealers. 
  • The group is actively involved in dumping data, belonging to entities across the world, on cybercrime forums, communication channels, and their website. 
DateTargetTarget Region
26 December 202160,000 passport recordsChina (Possibly)
26 December 2021Amigo.co.ilIsrael
24 December 2021Kohinoor International School DatabaseIndia
13 December 2021Passport records (Released in parts)UAE
19 December 2021Nigeria Customs Information Portal Mail Server BackupNigeria
18 December 2021Kurdistan People DatabaseKurdistan
18 December 2021Government Backup database of IndonesiaIndonesia
13 December 2021City Hall of Banzaê
City Council of Banzaê
Brazil
  • Other leaks by the hacker group have targeted crypto and e-commerce websites such as:
    • atacado.shop
    • cryptofairplay.com
    • playyourbet.com
  • They also actively post on another forum called zone-h.org, and all their posts are interlinked. 
Shield Iran Security Team’s post, on a cybercrime forum, mentioning their activities
Threat actor’s post, on a cybercrime forum, mentioning their activities

  • We discovered mentions of Shield Iran Security Team, on an Iranian website, dating back to March 2020. This indicates that the group has been active for at least 2 years.  
  • Their goals include maintaining the security of Iranian sites, building malicious software, hacking and training Iranian citizens on cybersecurity. 

References

Appendix

Shield Iran Security :Threat actor’s advertisements on various communication channels
Shield Iran Security Threat actor’s advertisements on various communication channels

Shield Iran Security: Threat Actor Website

Table of Contents

Request an easy and customized demo for free