Iranian Intelligence Services – ( Shahid Kaveh ) The Sayad Project and Sayad 2 – Dissident & Foreign Support, Internal Targeting – Khalq Project 99

The below information provided via Lab Dookhtegan and Treadstone 71 research supports earlier Treadstone 71 reports on Iranian influence operations, cyber operations, persona generation, Basij Cyber Battalions, and targeted adversary analysis (see the links below).  Iranian intelligence operations demonstrates fear of dissident and opposition activities abroad and an effort to control and eliminate any potential counter narrative to the official revolutionary line, including assassinations. Iran controls internal communications with Dezhfa. The Shahid Kaveh organization is not new as we have reported on them many times in the past (see the links below).

While this holds to be true, there are still internal Iranian regions and opposition groups targeted for cyber penetration, oppression, and suppression of messaging. Iran targets and uses internal spies to penetrate groups that have nothing less than a differing opinion on how the country should be run. They infiltrate, identify, arrest, torture, and murder. Their inability yet constant attempts to control dissident behavior takes shape below in our postings and analysis. Iran cyber tradecraft blends with the kinetic as they seek to learn about all dissident movements, online postings and traffic, the installation of surveillance applications and malware on targeted devices, and the penetration of opposition internal operations shows they cannot be trusted. We suggest these types of activities be included in the efforts at JCPOA renewal (along with fomenting unrest in Lebanon, Gaza, Jordan, Turkey, Yemen, Bahrain, and Saudi Arabia non-inclusively).

Associated files are available within this posting.

cyberinteltraining

As translated directly from Iranian Intelligence documents


Iranian tar

In the name of God

Ilianet Gostar Iranian

Sayyad Project

Significance

One of the major purposes of Sayyad project is to cause disruption in the activities of enemy groups.

The annual meeting of these groups is a main and important venue for promoting this organization. Holding such events is a means for this group to announce they are still alive and hence to provide a part of their budget. Therefore, causing damage and disruption to these meetings may damage their reputation and ruin their existence, and as a result lead to their faster destruction.

Purposes

  1. Preventing the annual meeting if possible or causing disruption in the process of holding the meetings.
  2. Showing that the meetings are useless and they can only be used locally.
  3. Preventing the development of these groups and recruitment of new members.
  4. Ruining the international reputation of the enemies.
  5. Eliminating the support of the enemy groups by European countries
  6. Making Albania unsafe as the enemies’ host.
  7. Blacklisting these groups as terrorist groups

Potential measures

  • Identifying the enemies’ websites
  • Obtaining the access to the enemies’ major websites used for dumping data and analyzing the existing data to identify the important figures, their local agents, the recruiting methods and their collaboration with these groups.
  • Identifying the websites that provide live coverage of these meetings in order to disrupt the live broadcast of the meeting and to end their connection to the meetings if possible.
  • Providing campaigns for cyber resistance against the enemies

Achievements

  • Causing disagreement among Albanian people regarding the existence of the enemies in their countries.
  • Destroying the communication channels between the enemies and their local forces inside Iran
  • Destroying the sham magnificence of the enemies
  • Unveiling the real truth of the enemies
  • Preventing the spread of news regarding the enemies’ meetings
  • Blacklisting these groups as terrorist groups

FAX: 021-7671336, 021-7672823


Ilianet Gostar Iranian

Sayyad Project

Subject: locating, identifying and prioritizing all measures that lead to damaging s.x.v (س.خ.و) and disrupting their performance, and providing ideas and means for fulfilling the desired goals.

  1. Introduction

After a careful study of the enemy groups, it seems that the strength of enemy groups is in how they establish connections with different individuals to carry out operations that counter the benefits of the Islamic Republic of Iran either locally or internationally. They even use these connections to perform physical operations. Given this issue, in order to cause damage to these groups, the priority should be given to intelligence measures to obtain information from individuals, means of communicating with groups, identification measures and identifying their agents.

  1. Taken measures
  2. Suggested measures
    • Obtaining the access
      • Existing accesses
  •  Tavana website

Note: After reviewing the information of Tavana website and considering that the website advises the users to create fake emails for themselves at the very beginning of membership, accurate information cannot be obtained from users and members collaborating with the website.

Suggestions: this website provides a series of VPN services to its users. It is suggested that malwares be developed and embedded in this website in order to infect the website users’ systems. These malwares shall obtain identity information such as the number of accounts, names and phone numbers of real individuals so that the website connection to local forces can be interrupted, through using contact information and important forces.

  • tv, live stream website

Note: Over the past years, this group used live stream function of synople.tv to have live broadcast of their meetings. Given the current state of the world and the spread of covid-19, it seems that the annual meeting of this group will be held on the Internet.

Suggestion: the access to the website should be analyzed and necessary measures should be taken at the time of the meeting to disrupt the live broadcast of the annual meeting.

  • Emails of certain individuals who are a member of enemy

Note: Over the past years, a limited number of emails from the enemies have been obtained.

Suggestion: To better analyze and identify the relevant individuals, we need access to the emails.

Notes: given the background of the enemy, it seems that sending threatening emails to the members of this group does not suffice. Thus, after using the email platforms, to better know them, disuniting emails can be sent to them. Such emails can be sent by emails of their own or email that we have access to.

3.1.2 New accesses

  • org

Note: this is the main website of Mujahedin. In the radio section of this website, besides to live news broadcast, a program called “those who want to interact” is aired, whose function is to establish health appointment for radio audience and those who want to collaborate with the group.

cybercounterinteltraining

Suggestion:

  1. Obtaining the access to radio.mojahedin.org which is the subdomain of the main website and pertinent to the radio section
  2. Obtaining the access from the email introduced in radio for establishing relation with audience.
  3. Analyzing the information existing in the email in order to identify the important person, their local forces and the means and process of establishing relations and recruiting new members to collaborate with them.
  4. The use of obtained platforms. Subdomain of the main site and the site email, after completing the identification work, to upload the desired content on the website. This content should be in line with disrupting the site’s communication with its audience and introducing its own intermediaries.
  • com website

Note: This is the TV website of enemies. This website has 2 software programs. One software program is for live broadcast and the other one is for video archive and website programs.

Suggestion: obtaining the access to both website and software programs with the following objectives:

  1. Causing disruptions in live broadcasts during sensitive moments e.g. during important live speeches.
  2. Placing the desired content in the website and archive software.
  3. Infecting the users’ system to locate them

Note: given the background of enemies and the probability of their operations inside Iran, this capability can be used to locate the users and find their geographical coordinates during the operations.

  • Identifying websites that support enemies for mass hacking and preventing the news coverage of the group annual meetings
  • Identifying the admins of telegram channels with the goal of
  1. Sending malware together with videos and photos with interesting content for them
  2. Hacking the accounts.
    • Finding the geographical coordinates of the enemy camp with the goal of:
  3. Finding the users of Twitter and Instagram, who provide content in Persian or submit relevant posts in social platforms. Waging psychological warfare, making discontent or establishing relationship with the camp
  4. Finding ISPs that provide them with the Internet and causing disruption in their internet connections or damaging their systems.

3.5 Providing a list of hashtags and issues they have focused on and finding the person who has used these hashtags first with the goal of identifying important individuals and major forces.

3.6 establishing relation with fake individuals and enemies.

FAX: 021-7671336, 021-7672823


In the name of God

Ilianet Gostar Iranian

Report on discovery and membership in a secret dissident group

First, an attempt was made to identify the key members of the resistance channel, whose telegram channel was available at moghavevat.org, and it led to an acquaintance with its admin, Mr. Siamak Rezapour.

By communicating with him and trying to enter their secret circles, he finally introduced us to a group manager named Mehran Salehi (manager of one of the groups).


In the name of God

Ilianet Gostar Iranian

In order to prevent the actions of the Iranian opposition living abroad, in the first step, it is necessary to monitor all the activities of these oppositions, including their movements and relations with different countries. For this reason, the identification of Albanian airports and related airlines is a priority.

Albania currently has three international airports and two airlines.

  1. Tirana International Airport

The airport is located 11 km northwest of Tirana in a region called Korce and is known as Mother Teresa Airport. It is also known as Rina Airport. This is the main airport of Albania

Year of construction: 1957

Area: km2

Number of flights in 2018: 25426

Number of runways: 1

Number of passenger terminals: 1

  1. Kukes Airport Zayed bin Sultan Al Nahyan

This airport is located 3.5 km south of Kukes city. Despite being an international airport, it operates like a local one. No website has been found for it and the facilities of this airport are the facilities of a normal small airport.

This airport is currently under reconstruction.

  1. Vlore airport

Vlore international airport is an airport project expected to be built in 2020 and in the Vlora city of Albania.

FAX: 021-7671336, 021-7672823

www.eeleyanet.ir

info@eeleyanet.ir

targeted


Albawings airline

Domain: albawings.com

Introduction

Albawings is one of the best Albanian airlines. This company was founded in 2015 and now connects Albania to European destinations.

Albawings is also committed to provide the most reasonable prices for flights destined for Albania.

Airlines

  • The website capabilities
  1. Online reservation system of the airline – under domain booking.albawings
  • No access
  1. Distribution management system under domain dms.albawings where documented written reports are uploaded by pilots and flight crew.

Accesses

  • Access to dms.albawings panel (distribution management system)
  • Shell access to the main website
  • Offline webmail access – update function (the need for deepening for online access)

Offensive measures

  • Obtaining the information of passengers
  • Causing disruption in the report system of flight crew and pilots in DMS

Achievement

  • Intelligence dominance over the arrival and departure from Albania

 Contact Treadstone 71 on our services

In the name of God

Ilianet Gostar Iranian

Subject: the reports of measures taken in Khalgh Project 99

Report date: 02/13/2021

  • Creating a list of enemy groups in Iran in the form of excel files and based on URL, the group name, place of establishments, social networks, IP, etc.
  • Categorization of groups to Kurdistan, Baluchistan and Ahwaz enemy groups.
  • Creating a double single sheet and two flashcards for Pakistan accesses
  • Creating a single sheet of Zelli app (an app used by the enemy groups)
  • Creating an initial map for enemy groups
  • Providing an introduction report to Ali Javanmardi accounts and placing them in the system
  • Completing the map of groups, and introducing their members, leaders and Facebook IDs
  • Holding meetings and reporting the taken measures to Mr. Engineer
  • Placing the individuals’ Facebook IDs in the system
  • Providing a list of Kurd Personalities in Kurdistan and the relevant photos
  • Completing the list of Facebook IDs with 68 IDs so far, the majority of which belongs to Democratic Party of Iranian Kurdistan, Komala Party and Kurdistan Free Life Party.

FAX: 021-7671336, 021-7672823

www.eeleyanet.ir

info@eeleyanet.ir


In the name of God

Ilianet Gostar Iranian

http://alahwaz.com     alahwaz.info

http://kurdistanmedia.com

http://ostomaan.org

http://balochpeople.org

http://www.pscp.tv/w/1zqKVewVyrlxB

http://www.pscp.download/?url=https%3A%2F%2Fwww.pscp.tv%2Fw%2F1zqKVewVyrlxB

http://www.kurdpa.net/index.php?besh=dreje&id=2704 ( GET )

FAX: 021-7671336, 021-7672823


membersofenemygroupIR-4membersofenemygroupIR-3membersofenemygroupIR-2membersofenemeygroupIR


In the name of God

Ilianet Gostar Iranian

Sayyad 2 Project

Introduction

Over the holy 40-year history of the Islamic Revolution, many forces have done their best to weaken, destroy or mislead this popular movement which arose from the pains of the oppressed and deprived people, a movement that was guided by the light of our late Imam and then the supreme leader, both enjoying the support of Imam Zaman (may our lives be sacrificed for Him). Among these forces were the enemies of the Holy Islamic Republic of Iran, which collaborated with the global arrogant powers to bring the movement of Imam Ruhollah Khomeini (peace be upon him) to its knees.

Now, many years have passed but they do not still feel regret about their deeds and are after fighting the revolutionary and martyr-growing nation of Iran. However, the young and revolutionary Iranian believers are ready to combat these hated enemies of revolution in every single frontline. Therefore, they have decided to conquer the fake dugouts of the enemies on the Internet, which are weaker than spider’s net. This project is among such measures taken by these revolutionary youths.

Treadstone 71 – Contact | Treadstone 71


Report on discovery and membership in a secret dissident group

First, an attempt was made to identify the key members of the resistance channel, whose telegram channel was available at moghavevat.org, and it led to an acquaintance with its admin, Mr. Siamak Rezapour.

By communicating with him and trying to enter their secret circles, he finally introduced us to a group manager named Mehran Salehi (manager of one of the groups).

After contacting him and requesting to join the secret groups, he sent videos about the security of the telegram and how to keep it safe. He mentioned that we can become a member under the condition of conforming to these security guidelines (by reviewing the video, we found out that almost all security points were observed).

Finally, we entered a group called Bahar Iran.

After the membership in the group and doing a search, we found that members discuss the objectives and plans in the group. According to a schedule, every night at 22 pm, one key member analyzes the daily news and elections, under the cover of a teacher.

Weekly plan of live sessions in the first week of Ordibehesht

 

Saturday A talk with Master Javid: the economic structure of the regime 22 pm
Sunday A talk with Master Khorasani: daily political topic 22 pm
Monday A talk with Mehran Salahi: Army’s notice and achievements 22 pm
Tuesday A talk with Master Khorasani: daily political topic 22 pm
Wednesday A talk with Master Shahin Qobadi: revolutionary diplomacy 22 pm
Thursday No dialogue 22 pm
Friday No dialogue 22 pm

At present, this organization is carrying out activities such as slogan writing, recruitment, etc. in Tehran and other cities, especially Karaj. Documents collected from members and the second assigned force are also attached.

In addition, the profiles of members and important people of this group have been photographed and documented due to the lack of public access to the group.

In this group, we entered as Ms. Melika Rahnama who is a student of Law at Azad University of Karaj. We were active in that group by building trust among the members

Files:

  • Statements and news
  • Videos
  • Photos and members ID

 

 


Targeting Information:

targetingstatusandattackmethod
Iranian Intelligence Targeting – Status, Hacking Methods, URL target
Iranian Intelligence opposition and dissident website targeting and penetration methods - Team leads
Iranian Intelligence opposition and dissident website targeting and penetration methods – Team leads
row Host Subdomain Ip
1 mojahedin.org mojahedin.org 15.188.230.179
2 mojahedin.org autodiscover.mojahedin.org 52.6.140.65
3 mojahedin.org autodiscover.mojahedin.org 54.175.152.112
4 mojahedin.org autodiscover.mojahedin.org 52.23.143.228
5 mojahedin.org event.mojahedin.org 13.224.198.31
6 mojahedin.org event.mojahedin.org 13.224.198.26
7 mojahedin.org event.mojahedin.org 13.224.198.116
8 mojahedin.org event.mojahedin.org 13.224.198.36
9 mojahedin.org library.mojahedin.org 13.224.198.116
10 mojahedin.org library.mojahedin.org 13.224.198.36
11 mojahedin.org library.mojahedin.org 13.224.198.31
12 mojahedin.org library.mojahedin.org 13.224.198.26
13 mojahedin.org report.mojahedin.org 13.224.198.26
14 mojahedin.org report.mojahedin.org 13.224.198.116
15 mojahedin.org report.mojahedin.org 13.224.198.36
16 mojahedin.org report.mojahedin.org 13.224.198.31

Opposition website URLs and IPs for targeting

row Domain Name Creation Date Registrar
1 mojahedin.com 10/15/2003 networksolutions.com
2 rahnamatolid.com 5/24/2011 realtimeregister.com
3 mojahedin.org 11/3/1997 networksolutions.com
4 estakhrsaz.com 5/21/2018 publicdomainregistry.com
5 lgtamirat.com 8/19/2017 onlinenic.com
6 aroadecor.com 8/13/2017 publicdomainregistry.com
7 arioservice.com 8/8/2017 publicdomainregistry.com
8 reykanrepair.com 5/7/2017 onlinenic.com
9 bitumen-portal.com 12/26/2016 publicdomainregistry.com
10 bitumenportal.com 12/26/2016 publicdomainregistry.com
11 mehrparsfund.com 10/26/2016 realtimeregister.com
12 aroa-petroleum.com 10/25/2016 publicdomainregistry.com
13 aroa-tech.net 7/21/2016 publicdomainregistry.com
14 aroatech.net 7/13/2016 epag.deenwhois
15 aroatech.com 7/13/2016 epag.deenwhois
16 ts-iranian.com 6/18/2016 onlinenic.com
17 mivekhoshk.com 11/1/2018 apiname.com
18 canadasettel.com 2/16/2015 tucowsdomains.com
19 khaterehstudio.com 6/18/2016 realtimeregister.com
20 taranomsobh.com 5/24/2014 realtimeregister.com
21 julius-watch.com 7/1/2017 realtimeregister.com
22 azimi-el.com 5/12/2013 realtimeregister.com
23 mehrbroker.com 2/7/2008 realtimeregister.com
24 mancaveentertaintment.info 4/15/2013 godaddy.com, llc (r171-lrms)
25 mancaveentertaintment.us 4/15/2013 (registration services) whois.godaddy.com
26 spadanashop.com 2/26/2018 zenregistry.com
27 peykeshadi.net 12/3/2014 networksolutions.com
28 azimi.net 10/19/1999 networksolutions.com
29 spadanapipe.com 2/28/2019 apiname.com
30 parsa-trade.com 9/25/2013 zenregistry.com
31 aroa-tech.com 7/13/2016 internetbs.net
32 instabotgram.com 1/11/2018 joker.com

ینستابات گرام | افزایش فالور واقعی اینستاگرام | سه روز هدیه رایگان

Instagram Gram | Increase real Instagram followers Three days free gift

33 farazplast.com 6/25/2014 joker.com
34 spadana-pipe.com 10/20/2003 zenregistry.com
35 pumpkeen.com 11/16/2011 zenregistry.com
36 vivaskin.net 10/31/2010 zenregistry.com
37 parsianexir.com 3/1/2011 realtimeregister.com  

 

services

website targets
Website Targets for Attack and Penetration

Contact Treadstone 71 for information on cyber intelligence training, services, and consulting including intelligence program builds, cyber counterintelligence, adversary targeting, program assessments and customized services.

Treadstone 71 – Contact | Treadstone 71