Since January 2025, the Darkbit hacking group, identified as Storm-1084, has targeted Mivchar College in Israel. Leading this group is Hossein Fard Siahpoush, also known as Parsa Sarafian, associated with Ravin Smart Voice (Ravin Academy) in Iran.
Mivchar College Overview
Established in 2000 by Dr. Rabbi Abraham Fors, Mivchar College collaborates with institutions like the University of Haifa, the Technion Institute of Technology, and the Jerusalem College of Technology (JCT). The college offers programs in social work, mapping and geographic information, and computer science.
Darkbit’s Activities
Darkbit has conducted cyberattacks against Mivchar College, disrupting operations and compromising data. Indicators of Compromise (IoCs) related to these attacks are being shared among technology companies to bolster defenses.
Leadership and Affiliations
Hossein Fard Siahpoush, also known as Parsa Sarafian, leads Darkbit. He is linked to Ravin Smart Voice (Ravin Academy) in Iran, suggesting a nexus between the hacking group and Iranian cyber initiatives.
Indicators of Compromise (IoCs)
The following IoCs have been identified in relation to Darkbit’s activities:
594c32f87323aafe857b72feb54639ea8ee1b12ab2bc8a52964911805cf93fb5: A file hash associated with malware used in the attacks.
b29b46e8ce76f8d8065455c205c82184a30f1fe0f2e8e2e224add2b02f2b4019: Another file hash linked to malicious software deployed by Darkbit.
3e6857907931eacc843a593d8fddccbb7660b0cc253b78e163cb3e854df72a89: A hash corresponding to a compromised file identified during the investigation.
5b0f412e997b8826e06daee46b8778a97ffa40f4a2327d321e19744503ac73b5: An IoC related to the malware’s command and control communications.
a5eb836e76c00b610509f4e8a18bd3bd7efe3db33b2711be5838c9fa455a05be: A hash indicating a specific variant of the malware used.
Social Media Reference
A social media handle, @NarimanGharib, has been mentioned in connection with these events, possibly providing further insights or updates.
The cyberattacks by Darkbit, under the leadership of Hossein Fard Siahpoush, highlight the ongoing cyber threats faced by educational institutions. The sharing of IoCs among technology companies is a crucial step in mitigating these threats and safeguarding sensitive information.
Hossein Fard Siahpoush, also known by the alias Parsa Sarafian, plays a pivotal role in Iran’s cyber operations. He serves as a board member of Avaye Hooshmand Ravin, commonly referred to as Ravin Academy, and leads the Darkbit hacking group.
Ravin Academy
Ravin Academy, also known as the Aavaye Hooshmand Ravin Institute or Ravin Smart Voice Institute, is an Iran-based cybersecurity company. The academy provides education and training in both defensive and offensive cybersecurity fields, including hacker training. Beyond education, Ravin Academy operates on behalf of Iran’s Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC), supporting them in recruiting hackers. Notably, hackers trained at Ravin Academy have been implicated in disrupting communications during protests against the Iranian regime, thereby repressing dissent.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Ravin Academy on October 26, 2022, under Executive Order 13606. The designation was due to the academy’s material support to the MOIS, encompassing services such as information security training, threat hunting, red teaming, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research.
Darkbit Hacking Group
Under the leadership of Siahpoush, Darkbit has been active in conducting cyberattacks against various targets, including Israeli institutions. In January 2023, Darkbit launched a ransomware attack on the Technion-Israel Institute of Technology in Haifa. The group has also claimed responsibility for attacks on the Tel Aviv Municipality, Israel’s National Cyber Directorate, and the Mental Health Department of the Israeli Ministry of Health, although evidence for these claims has not been substantiated.
Sanctions and International Response
In addition to U.S. sanctions, Ravin Academy has been subjected to sanctions by the European Union, the United Kingdom, and Canada. These measures underscore the international community’s recognition of the academy’s involvement in cyber operations that contribute to human rights violations and support for Iranian intelligence activities.
Hossein Fard Siahpoush, through his leadership roles in Ravin Academy and the Darkbit hacking group, has significantly contributed to Iran’s cyber capabilities. The activities of these entities have drawn international sanctions, reflecting global concerns over their involvement in cyberattacks and human rights violations.
