For years, “Mr. Tekide” has been well-known as a crimson flag inside worldwide cybersecurity communities. The alias has managed to evade being publicly recognized regardless of being deemed a high malware developer and hacker whose crypters – that are used to hide malware in an assault – have been utilized in cyber espionage assaults on the US and broader West, in addition to Sunni Arab nations and Israel.

The Red Tea Detox

However Jeff Bardin – the Chief Intelligence Officer on the California-based safety agency Treadstone 71 who has been monitoring Tekide since 2015 – says he has unmasked the Iranian man behind the keyboard, who’s linked to Tehran’s Ministry of Protection.

The hacker is allegedly a 29-year-old veterinarian by the title of Mostafa Selahi Qalavand.

“It’s troublesome to completely assess the harm he has precipitated as a result of there stays to this present day a number of secrecy about these assaults. Nevertheless, his involvement was primarily with cyber espionage operations for the Iranian authorities,” Bardin advised Fox Information, highlighting that “Mr. Tekide’s” perform was to not personally assault the West however to help different actors to take action. He has been a key a part of the provision chain for Iranian-affiliated hacking teams, which have carried out in depth cyber espionage campaigns. He’s a gifted programmer, and his crypters are subtle. With out his crypters, these Iranian assaults would have been far much less profitable.”


His actions began throughout the late 2000s with the Iranian hacker discussion board Ashiyane, Bardin documented; and continued as much as about 2015-16. Bardin’s file on Qalavand’s alleged actions as Mr. Tekide concludes that the 29-year-old lately acquired his Ph.D. in veterinary science in Karaj and opened a observe, known as the Rapha Vet Clinic however has since mentioned that the clinic is “not doing nicely, in all probability because of the financial local weather in Iran and the dearth of affinity towards canine and cats in Iran.”

This picture released by the official website of the Iranian Defense Ministry on Sunday, March 12, 2017, shows a domestically manufactured tank called "Karrar" in an undisclosed location in Iran. Iran's semi-official Fars news agency is reporting that the country has unveiled the domestically manufactured tank and has launched a mass-production line. (Iranian Defense Ministry via AP)

This image launched by the official web site of the Iranian Protection Ministry on Sunday, March 12, 2017, exhibits a domestically manufactured tank known as “Karrar” in an undisclosed location in Iran. Iran’s semi-official Fars information company is reporting that the nation has unveiled the domestically manufactured tank and has launched a mass-production line. (Iranian Protection Ministry through AP)
(The Related Press)

“For some time, he tried to get out of the hacking enterprise, however in late 2018 I noticed him returning to this operation greater than doubtless for monetary causes. He began a brand new firm that claims to supply risk intelligence companies, and commenced working to replace his crypters,” Bardin mentioned.

READ  Christmas got here early for Putin (opinion)

Bardin’s Treadstone 71 evaluation states that Qalavand’s curiosity in computer systems and small animals began as a baby, and that he acquired a Bachelor of Science in laptop engineering from the Worldwide Imam Khomeini College and spent a few years with the Ashiyane boards growing software program used within the assault provide chain whereas finally working for the Ministry of Protection.

“He excelled in laptop science, particularly, software program growth. He by no means forgot his dream to be a veterinarian. He persevered and now he’s a Physician reaching one aim, one other being to work within the European Union,” Treadstone’s report continued, underscoring that the person has “labored very arduous at eradicating his on-line previous in an obvious try to take away previous felony actions” and that they count on him to disclaim any affiliation.

Bardin identified that whereas “Mr. Tekide” was absent from the hacking scene for a couple of years as he tried to again out of illicit actions, even throughout his absence his crypters remained in use by different attackers, thus they had been nonetheless a key a part of the cyber operations provide chain for Iran’s authorities and its proxy teams.

File photo - A picture taken on August 20, 2010 shows an Iranian flag fluttering at an undisclosed location in the Islamic republic next to a surface-to-surface Qiam-1 (Rising) missile which was test fired a day before Iran was due to launch its Russian-built first nuclear power plant. 

File photograph – An image taken on August 20, 2010 exhibits an Iranian flag fluttering at an undisclosed location within the Islamic republic subsequent to a surface-to-surface Qiam-1 (Rising) missile which was check fired a day earlier than Iran was attributable to launch its Russian-built first nuclear energy plant. 

“He additionally repeatedly examined his crypters by options like VirusTotal in an effort to guarantee they might stay undetectable and efficient for Iran’s Ministry of Protection,” Bardin claimed. “What a crypter basically does is to cover the malware’s signature by encrypting it, in order that it can’t be detected or tracked by safety groups and risk intel companies. Mr. Tekide is an achieved and expert programmer, and his crypters have been utilized by quite a lot of hackers in addition to the Iranian authorities, in assaults related to APT34 – aka OilRig, MuddyWater, and so forth.”

READ  The terminally unwell must be allowed to die (opinion)

OilRig is a risk group with suspected Iranian origins that has focused Center Japanese and worldwide victims since at the very least 2014, Bardin famous. The group has focused quite a lot of industries, together with monetary, authorities, vitality, chemical, and telecommunications, and has largely centered its operations throughout the Center East. It seems the group carries out provide chain assaults, leveraging the belief relationship between organizations to assault their main targets.

“FireEye assesses that the group works on behalf of the Iranian authorities based mostly on infrastructure particulars that include references to Iran, use of Iranian infrastructure, and focusing on that aligns with nation-state pursuits,” Bardin defined.

AP Graphicsbank

Qalavand’s obvious effort to extract himself from the hacking underbelly began round 2016, across the similar time that Citizen Lab – a analysis and growth unit with the Munk College of International Affairs & Public Coverage on the College of Toronto – got here out with an in depth report illuminating Iranian hacking operations.

In response to The Citizen Lab report, “elaborately staged” malware operations particularly focused members within the Syrian opposition, who rallied towards the Iran-backed Bashar al-Assad regime.

“The operators appear comfy with Iranian dialect instruments and Iranian internet hosting corporations, they usually seem to have run parts of the operation from Iranian IP house,” the report surmised.


In a single focused instance, an electronic mail purporting to be from the pretend activist outfit “Assad Crimes” emailed a well-connected Syrian opposition political determine providing to share details about Iranian “crimes” to lure within the recipient, however related recordsdata had been loaded with malware. The report particularly recognized “Mr. Tekide” as a reputation that usually seems within the implants.

“It appears as if Mr. Tekide tried arduous to change careers and turn into a veterinarian. Nevertheless, extra lately, he appears to have fallen again into his previous methods, presumably due to monetary causes. It is usually doable that the Iranian authorities ‘took care of’ his educational payments and he now owes them in consequence,” Bardin conjectured. “He frolicked final yr transforming a crypter, which demonstrates continued developments in his malicious technical capabilities.”

READ  Hunter whose giraffe picture went viral says she's 'completely' nonetheless looking: 'I'm pleased with that giraffe'

Bardin’s identification of ‘Mr. Tekide’ as Mostafa Selahi Qalavand began in 2015 whereas he was conducting analysis for a shopper, and Bardin mentioned he noticed a number of errors got here from his rushed effort to clean his hacking background as “Mr. Tekide” which left a number of potential ties to his actual identification.

“Throughout this cleanup course of, he made a couple of errors which left clues straight tying ‘Mr. Tekide’ to his actual identification. Mostafa has additionally tried to confuse the identification of ‘Mr. Tekide’ by taking steps to falsely implicate two different people as ‘Mr. Tekide,’” he mentioned. “It is price noting that these feints had been largely pointless on the time, since nobody was on the lookout for him. Researchers and investigators had been solely within the crypter code and find out how to detect it. These errors by Mostafa led to disclosures which have since been faraway from the Web, however I used to be capable of file them on the time.”

His Twitter account seems to not have been energetic since April.

Bardin mentioned he has been in contact with the alleged hacker on-line and has exchanged a number of messages through Linkedin – most lately earlier this week. Qalavand, Bardin mentioned, had expressed curiosity in having the U.S. cybersecurity knowledgeable work for him however refused to explicitly point out how or what.

Qalavand didn’t reply to Fox Information’s request for touch upon the file.


However in the end, what does this inform us in regards to the Iranian cyber capabilities?

“They proceed to make use of the ‘previous guard’ and located his crypters to nonetheless be helpful towards typical cyber defenses. They nonetheless work. However, he’s nonetheless enhancing them as evidenced on a discussion board website the place he up to date a crypter,” Bardin added. “This exhibits fixed evaluation by Iranian cyber forces and their means to repeatedly replace their instruments within the cyber operations provide chain. It additionally exhibits how the Iranian authorities depends upon a big provide chain of impartial hackers, coders and malware builders to help its offensive cyber operations.”


Please enter your comment!
Please enter your name here