Hacker Group Profile: Shield Iran Security Team

Originally published at: Hacker Group Profile: Shield Iran Security Team - CloudSEK

CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team.

Report Type Threat Actor Profiling
Research Subject Threat Actor Handle: Shield Iran Security Team
TLP# AMBER
Reference #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of a threat actor handle that seems to be connected to a popular hacker group known as Shield Iran Security Team.
  • Posts made by the threat actor handle, Amo Changiz, on an English language cybercrime forum, target regions such as UAE, Kurdistan, Nigeria, Indonesia, Israel, and Brazil.
  • Further analysis revealed that the actor is part of Shield Iran Security Team, which has a total of 8 members.

Underground Profile

Threat actor handle Amo Changiz
Hacker Group Shield Iran Security Team
Forum RaidForums
Registration date on the forum 13 December 2021
Contact information (Based on the forum activity) Telegram.Me/ChangizAmoTelegram.Me/TheHackingsTelegram.Me/Shield_DAtabase
Team members in the group Nazila Blackhat Iliya Norton Mr-Im@n Milad Hacking Sir.4m1r – Byp4sser HosseinKiA Ahwaz_Hackerz  ChangizAmo
Website https://shieldiran.net/

Detailed Analysis

  • On 18 December 2021 a threat actor handle “Amo Changiz” posted a compromised Indonesian government database, on an English language cybercrime forum. 
  • The post included links that redirect to another cybercrime forum that references the Shield Iran Security Team. 
  • Shield Iran Security Team is an 8 member cybercrime group that has a huge following on various social media and communication channels. They also have a website that provides tutorials, rootkits, and stealers. 
  • The group is actively involved in dumping data, belonging to entities across the world, on cybercrime forums, communication channels, and their website. 
Date Target Target Region
26 December 2021 60,000 passport records China (Possibly)
26 December 2021 Amigo.co.il Israel
24 December 2021 Kohinoor International School Database India
13 December 2021 Passport records (Released in parts) UAE
19 December 2021 Nigeria Customs Information Portal Mail Server Backup Nigeria
18 December 2021 Kurdistan People Database Kurdistan
18 December 2021 Government Backup database of Indonesia Indonesia
13 December 2021 City Hall of Banzaê
City Council of Banzaê
Brazil
  • Other leaks by the hacker group have targeted crypto and e-commerce websites such as:
    • atacado.shop
    • cryptofairplay.com
    • playyourbet.com
  • They also actively post on another forum called zone-h.org, and all their posts are interlinked. 
![](upload://aH67gFS5YbDgvuWPWzM5R0WIrAB.png)

  • We discovered mentions of Shield Iran Security Team, on an Iranian website, dating back to March 2020. This indicates that the group has been active for at least 2 years.  
  • Their goals include maintaining the security of Iranian sites, building malicious software, hacking and training Iranian citizens on cybersecurity. 

References

https://cybershafarat.com/2020/03/16/shield-of-iran/

zone-h.org/mirror/id/38965388?hz=1 

Appendix

![](upload://apTHzWOLBXmpl1zV9eEpbTlyfoa.png)

![](upload://lBJZohDpG1WESn84hEJQZ5rCKNF.png)