For years, “Mr. Tekide” has been well-known as a red flag within international cybersecurity communities. The alias has managed to evade being publicly identified despite being deemed a top malware developer and hacker whose crypters – which are used to conceal malware in an attack – have been used in cyber espionage attacks on the United States and broader West, as well as Sunni Arab countries and Israel.
But Jeff Bardin – the Chief Intelligence Officer at the California-based security firm Treadstone 71 who has been tracking Tekide since 2015 – says he has unmasked the Iranian man behind the keyboard, who is linked to Tehran’s Ministry of Defense.
The hacker is allegedly a 29-year-old veterinarian by the name of Mostafa Selahi Qalavand.
“It is difficult to fully assess the damage he has caused because there remains to this day a lot of secrecy about these attacks. However, his involvement was primarily with cyber espionage operations for the Iranian government,” Bardin told Fox News, highlighting that “Mr. Tekide’s” function was not to personally attack the West but to aid other actors to do so. He has been a key part of the supply chain for Iranian-affiliated hacking groups, which have carried out extensive cyber espionage campaigns. He is a talented programmer, and his crypters are sophisticated. Without his crypters, these Iranian attacks would have been far less successful.”
His activities started during the late 2000s with the Iranian hacker forum Ashiyane, Bardin documented; and continued up to about 2015-16. Bardin’s dossier on Qalavand’s alleged activities as Mr. Tekide concludes that the 29-year-old recently received his Ph.D. in veterinary science in Karaj and opened a practice, called the Rapha Vet Clinic but has since said that the clinic is “not doing well, probably due to the economic climate in Iran and the lack of affinity toward dogs and cats in Iran.”
“For a while, he attempted to get out of the hacking business, but in late 2018 I observed him returning to this operation more than likely for financial reasons. He started a new company that claims to offer threat intelligence services, and began working to update his crypters,” Bardin said.
Bardin’s Treadstone 71 assessment states that Qalavand’s interest in computers and small animals started as a child, and that he received a Bachelor of Science in computer engineering from the International Imam Khomeini University and spent many years with the Ashiyane forums developing software used in the attack supply chain while eventually working for the Ministry of Defense.
“He excelled in computer science, in particular, software development. He never forgot his dream to be a veterinarian. He persevered and now he is a Doctor achieving one goal, another being to work in the European Union,” Treadstone’s report continued, underscoring that the individual has “worked very hard at removing his online past in an apparent attempt to remove past criminal activities” and that they expect him to deny any affiliation.
Bardin pointed out that while “Mr. Tekide” was absent from the hacking scene for a few years as he tried to back out of illicit activities, even during his absence his crypters remained in use by other attackers, thus they were still a key part of the cyber operations supply chain for Iran’s government and its proxy groups.
“He also repeatedly tested his crypters through solutions like VirusTotal in order to ensure they would remain undetectable and effective for Iran's Ministry of Defense,” Bardin claimed. “What a crypter essentially does is to hide the malware's signature by encrypting it, so that it cannot be detected or tracked by security teams and threat intel services. Mr. Tekide is an accomplished and skilled programmer, and his crypters have been used by a variety of hackers as well as the Iranian government, in attacks associated with APT34 – aka OilRig, MuddyWater, etc.”
OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014, Bardin noted. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets.
“FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests,” Bardin explained.
Qalavand’s apparent effort to extract himself from the hacking underbelly started around 2016, around the same time that Citizen Lab – a research and development unit with the Munk School of Global Affairs & Public Policy at the University of Toronto – came out with a detailed report illuminating Iranian hacking operations.
According to The Citizen Lab report, “elaborately staged” malware operations specifically targeted members in the Syrian opposition, who rallied against the Iran-backed Bashar al-Assad regime.
“The operators seem comfortable with Iranian dialect tools and Iranian hosting companies, and they appear to have run elements of the operation from Iranian IP space,” the report surmised.
In one targeted example, an email purporting to be from the fake activist outfit “Assad Crimes” emailed a well-connected Syrian opposition political figure offering to share information about Iranian “crimes” to lure in the recipient, but associated files were loaded with malware. The report specifically identified “Mr. Tekide” as a name that regularly appears in the implants.
“It seems as though Mr. Tekide tried hard to switch careers and become a veterinarian. However, more recently, he seems to have fallen back into his old ways, possibly because of financial reasons. It is also possible that the Iranian government ‘took care of’ his academic bills and he now owes them as a result,” Bardin conjectured. “He spent time last year reworking a crypter, which demonstrates continued advancements in his malicious technical capabilities.”
Bardin’s identification of ‘Mr. Tekide’ as Mostafa Selahi Qalavand started in 2015 while he was conducting research for a client, and Bardin said he observed several mistakes came from his rushed effort to scrub his hacking background as “Mr. Tekide" which left several potential ties to his real identity.
“During this cleanup process, he made a few mistakes which left clues directly tying ‘Mr. Tekide’ to his real identity. Mostafa has also tried to confuse the identification of ‘Mr. Tekide’ by taking steps to falsely implicate two other individuals as ‘Mr. Tekide,’” he said. “It's worth noting that these feints were largely unnecessary at the time, since no one was looking for him. Researchers and investigators were only interested in the crypter code and how to detect it. These mistakes by Mostafa led to disclosures that have since been removed from the Internet, but I was able to record them at the time.”
His Twitter account appears not to have been active since April.
Bardin said he has been in touch with the alleged hacker online and has exchanged several messages via Linkedin – most recently earlier this week. Qalavand, Bardin said, had expressed interest in having the U.S. cybersecurity expert work for him but refused to explicitly indicate how or what.
Qalavand did not respond to Fox News’s request for comment on the dossier.
But ultimately, what does this tell us about the Iranian cyber capabilities?
“They continue to use the 'old guard' and found his crypters to still be useful against typical cyber defenses. They still work. On the other hand, he is still enhancing them as evidenced on a forum site where he updated a crypter,” Bardin added. “This shows constant analysis by Iranian cyber forces and their ability to continually update their tools in the cyber operations supply chain. It also shows how the Iranian government relies upon a large supply chain of independent hackers, coders and malware developers to support its offensive cyber operations.”