PARASTOO پرستو :
I got a tweet today about some data sitting on cryptome.org that got me thinking about this “group” again so I did some more digging online on them (him) The name of the “group” is Parastoo (پرستو Farsi) which means Swallow or bird. In the last year this guy (yes I think it’s literally one deranged person) had been active on at least two .ir sites that dealt with security and hacking and then started his own domains to ostensibly carry out cyber war against Israel and attempt to leverage the IAEA and others. So far all of the alleged hacks and data dumps that I have seen have not impressed and the data itself seems to be from systems that they “think” are important but in reality they are not. Specifically of late there are threats concerning CIA plots and diatribes that read like Lulzsec on methamphetamine and Ketamine at the same time. This guy really has quite the beautiful and large tinfoil hat and he wants us all to know about it in no uncertain terms. It is interesting to read between the lines in a stylographic way how the writer here seems to be molding their communiques in the manner of Zodiac. with a third person approach that intones more than one person and that this is a group. By using “Parastoo is speaking” they come very close to the “This is Zodiac Speaking” which attempted to portray power and induce fear. It is also interesting to note the language used in the emails is of a nature that implies a good grasp of English as well as a flare for the overly dramatic which does not lend credence to the threats that they imply. In fact the reading I take away, and seemingly the press as well, is that of someone either trying too hard to be Anonymous or smacks of outright trolling.
In tracing the domains for parastoo.ir and hacker4hire.ir I came across a defunct site (RCE.ir) which was a PHBB site that is now offline live but is archived in a couple of places as well as Google caches. When searches for “Parastoo” were used a clear link to a user on the RCE.ir site came up and that user was “DarkPassenger” who posted often on the site not only about hacking tutorials, tools, and the like but also dropped many links to government sites in the US and talked about conspiratorial things in nearly every posting. The DarkPassenger’s favorite saying or ahorism in each posting was “de nobis ipsis silemus” which is taken from the Baconian epigraph to the first Critique and translates to “on ourselves we are silent” which is ironic for all the commentary that DarkPassenger is putting out there that speaks to his state of mind. The DarkPassenger is also a fan of TV and movies and can be tracked to other .ir sites but generally from the first searches, does not have a lot out there under this account name to go much further (at present writing) to say who he may be in real life. DarkPassenger though does seem to have quite a bit of time on his hands and some technical capabilities though. Much of the data however that he and Parastoo post though is really just OSINT that anyone capable could carry out. In fact in one post (DP) talks about OSINT while laying out informatics on a military organizations email addresses and contact list so he is in fact versed in the ways of OSINT collection. A key factor to the link I am making between the Parastoo and DP is that he uses the “EXPECT US” cutline in many of his posts as well and seems rather enamoured with the idea that he is in fact an Anon and that bent of conspiracy and overarching plots infuses the majority of his postings online.
Parasatoo.ir, hacker4hire.ir & RCE.ir:
The postings claiming hacks as well as those that rave on claim that DP had set up a couple domains for “attacks” on the outside world from the .ir domain. These domains are registered by what I assume is a cutout name of zohre sajadian which coincidentally was also used for the RCE.ir site. All sites are currently down and in fact I cannot locate any content for the hacker4hire.ir nor the parastoo.ir sites respectively. The only one that did have active content for a while was the RCE.ir address. This site was up for quite some time but was insecure and much of the content was not that interesting. It is of note though that the domain registrations all line up as well as there seems to be some overlap in email hosting between a .ru address and the chmail.ir site (that address is verified as being real)The information for the address as well as the name of the holder seems to be just made up. In fact the address cannot exist because there is no intersection for Felestin Street with Johmoori. A cursory look at the name used of Zohre Sajadian also comes up with some hits but they seem to be un-related at this time to the sites and their registration so mostly this is a dead end I think.
Alleged Hacks & Anonymous Rhetoric:
So far in my searching I have not found too much out there to support any large hacks of data or dumps thereof that show this “group” has done what they claim they have overall. Aside from news stories (few in fact) that claim Parastoo made off with “sensitive” information on nuclear systems and facilities. However the data that they claim to have taken and was admitted to by IHS Inc. is all of a nature that can be purchased from the web or has been published already in the past. The only real sensitive information that has been possibly breached was credit card information that may have resided on those servers that were compromised. So while the Parastoo makes grandiose claims of important hacks and data leaks, thus far, when really investigated they have yet to make a major hit on anything of real import. Since the sites have gone dormant or offline as well it has yet to be determined what else they may be working on or have compromised but if you look at the rhetoric from their pastebin posts as well as the alleged emails on Cryptome one becomes a bit jaundiced and must take everything they say with a large grain of salt. Another factor to remember that even with the drawings like the one at the top of this post are often available to anyone on the internet either by insecure or misconfigured servers or in fact the data is meant to be open to the public. This is a paradigm I have learned about recently in looking into the OSINT on nuclear facilities and systems. So these dumps of information are not what the attackers think they are because they are unacquainted with the data and it’s secrecy or lack thereof.
The final analysis of the “Parastoo” group is that in reality it is at least one person (DarkPassenger) who wants to make a statement on Israel and nukes with a fixation on IAEA and DOE. While some pastes in the pastebin list seem to have actual data from systems that are externally facing to the internet (DOE for one) the majority of the data seems to be half understood misinformation being spewed to garner attention. As the Anonymous model has been let out of the bottle so to speak post Lulzsec, there are many who would aspire to their level of reputation and attention and these dumps are an attempt to attract it. Of course the problem with the Anonymous model of operation is that anyone can take on the mantle and claim to be an Anon or a group of them to effect whatever outcome they seek (mostly attention) so it is oftentimes hard to take groups like this seiously until such time as they dump hard data onto the internet for all to see. In the case of Parastoo none of this is evident and as such I categorize (him/them) as a non threat actor on the larger stage of geopolitics and information warfare at this time.