WikiLeaks Saudi Cable Release Resembles the Work of Iranian Hackers

It seems Iranian hackers were responsible for stealing the 70,000 Saudi Arabia Foreign Ministry documents that recently popped up on the extreme-transparency website.

The cables depict Saudi diplomacy as reliant on oil-wealth patronage and obsessed with Iran, the kingdom’s chief rival.

A study released June 26 by Recorded Future, an open source predictive analytics firm, describes similarities between Iranian-linked hackers and the Yemen Cyber Army, which last month claimed responsibility for a potentially related Saudi Foreign Ministry hack.

Among the indicators of the source of the attack, the report notes, is that the Yemen Cyber Army uses a file-sharing site, QuickLeak.ir, to dump stolen documents that is rarely used by typical hacktivist groups but has been used by the Iranian-connected group Parastoo.

Recorded Future also notes the Iran’s semiofficial Fars News Agency was the first to report the group’s claim. Recorded Future commented: “The news outlet quickly emerges as the [Yemen Cyber Army’s] mouthpiece.”

Another clue: One cable leaked shows emails discussing an malicious cyber campaign dubbed Operation Cleaver, which began targeting the ministry on July 14, 2014. In the cable, dated Feb. 15, 2015, the messages cite an internal investigation that identifies “Iranian Actors” as part of the attack, which used a phishing technique to infect computers with data-extracting malware.

According to cybersecurity firm Cylance, Iranian hackers carried out Operation Cleaver, which allegedly targeted 16 countries, including the United States, and affected dozens of agencies and key industry sectors.