1 month ago
49
Brothers and sisters
Department 40, the documents show, is composed of three sub-units: a group of hackers as well as the so-called Brothers and an all-female unit, the Sisters.
The Brothers unit, according to organizational charts contained in the leaked documents, is responsible for, among other duties, “targeting foreign government personnel” and “collection of information from foreign governmental institutions.”
For their part, the Sisters unit is tasked with “the collection of intelligence for assassination operations” and “psychological operations aimed at influencing public opinion.”
The hacking teams carry out “cyberattacks on targets in foreign countries and oversee “the creation of phishing websites and coordinated email and SMS campaigns.”
The leaked documents reviewed by Iran International indicate Department 40 orchestrated many of the cyber operations which security experts and watchdogs had attributed generally to Iran-linked groups in recent years.
Prominent among them are so-called “spy-ads” appearing on some VPN services used by Iranians to bypass state censorship of the internet which invite users to collaborate with Israel.
The documents reviewed by Iran International show that all internet domains associated with a network overseeing the ads—known as VIP Human Solution—belonged to Department 40, and aimed to entrap potential spies.
The Revealer
The Kashef (Revealer) database appears to be Department 40’s core project, and the leaked materials include a video showing a confidential presentation of Version 3 of the platform, which became operational in June 2022.
It reveals the extent and type of information accessible there, including Iranians’ phone numbers, records of phone calls and text message, social media activities, home and workplace addresses and movement patterns.
Cybersecurity analyst Nariman Gharib told Iran International that the databases obtained by hackers affiliated with Department 40 are transferred into Kashef to allow agents to track and catalogue information about their selected targets.
“The system allows the unit to build intelligence files for conducting physical attacks against these targets,” Gharib said. “This is a cyber capability designed to support assassination operations.”
The precise goal of the department's information-gathering on people and entities was often not clear, and did not appear in many cases to intend physical harm.
The Kashef system contained meticulous information on Iranian dual-nationals, embassy staff, employees of foreign-linked companies, and journalists.
The platform, according to the documents, aims to facilitate overseas operations by the Intelligence Ministry and the IRGC external operations branch, the Quds Force.
It maps connections of persons and sites of interest. If two phone numbers of interest show up in one location, the system alerts the agents
For years, dual-national Iranians traveling to Iran were required to fill out forms that asked their emails and social media accounts.
Confidential internal reports from Department 40 reviewed by Iran International reveal that its cyberattacks gained access to foreign state and private institutions such as the Abu Dhabi and Fujairah police, FlyDubai, EgyptAir, Azerbaijan’s SOCAR energy holding, and the Russeifa municipality in northern Jordan from which data on targeted individuals could be collected.
Where data could not be obtained directly, the unit would venture other means.
One Department 40 report reviewed by Iran International shows that after an initial failure to access police records in the United Arab Emirates, the hackers targeted a contractor firm working with the police.
