close button
Switch to Iranwire Light?
It looks like you’re having trouble loading the content on this page. Switch to Iranwire Light instead.
Features

How to Deal with Islamist Hackers?

January 6, 2018
Arash Azizi
8 min read
Anderson wishes more attention was paid to ordinary victims of Iranian cyber attacks: The independent journalists and activists, both in Iran and abroad
Anderson wishes more attention was paid to ordinary victims of Iranian cyber attacks: The independent journalists and activists, both in Iran and abroad

Experts who research the treacherous and seemingly unnavigable world of espionage and cyber warfare often shock the world. And so it was when, in July 2015, it was revealed that the United States had spied on German Chancellor Angela Merkel. But if spying on a foreign ally is shocking, consider the revelations that the Iranian state spied on the personal accounts of its own foreign minister, diplomats and many high-ranking cabinet members of President Hassan Rouhani’s administration.  

The findings were revealed in a report produced by the Carnegie Endowment For International Peace, and was co-authored by Collin Anderson, a Washington DC-based researcher who has spent the past few years working on cybersecurity in Iran, and Karim Sadjadpour, a senior fellow at Carnegie and a highly-respected Iran analyst. 

Anderson is modest about his work, but he is renowned in the community for his excellent research. “Collin was really the star of this report,” is how Sajadpour put it in an email to IranWire. 

And the publication of the report happened to coincide with the wave of protests that have shocked the Islamic Republic over the last 10 days. Its findings, based on documentation and evidence, are so far-reaching and crucial that it managed to feature on many headlines in the Iranian press. 

“One of the things that is unique about this report is that it relies on a lot of primary sources,” Anderson told IranWire in a phone interview from his base in DC. 

The report, Iran’s Cyber Threat, provides evidence that hacking groups, mostly working with the Islamic Republic Guards Corps (IRGC), a notorious Praetorian Guard for Iran’s hardline establishment, actively targeted a range of actors inside and outside the country. It also reveals personal conversations between some of the hackers that offers an unprecedented window into their thinking and operations. 

I asked Anderson how he managed to gain such information. 

“What everyone has asked us is: So are you hacking them?” he said. “The answer is no. We use forensic research techniques and engage in very basic and common practices in the cybersecurity community.” 

These, he explained, include approaches like “sink-holing,” — tracking the work of hackers who operate malware through the web-hosting intermediaries that they use.

“Some of the attackers have made a very simple mistake of infecting themselves with their own malware,” Anderson explained. This has allowed his research to paint what he described as an “intimate portrayal” of their work. 

The detailed report which, in eight chapters makes for fascinating reading, has taken years to complete. This is partly because the pace of Tehran’s cyber attacks is not steady. When this pace is boosted during major events and turning points, the job of researchers hoping to detect trends becomes easier. 

Anderson said he had been working for a couple of years on the issue, but it was “suddenly around the presidential elections of 2013” when things really started to get interesting. 

“All sorts of attacks were being ramped up in the lead-up to the 2013 election,” he explained. “Groups that we name in the report like Magic Kitten or Flying Kitten had existed before but they gathered pace and it was clear that they were aiming at the political opponents of the hardline establishment. We started writing the paper around 2014 and 2015 and we’ve been going through the process of writing, editing and re-shaping it over the course of about two and a half years.” 

Two chapters of the report are dedicated to charting Tehran’s “internal” and “external” targets and it paints a colorful canvas of how the cyber campaigns of Tehran’s hackers focus their might on different victims. 

“One month they would go against Baha’is, another against Christian evangelicals,” Anderson told me. “Then it might be some American foreign policy institutions that are involved with Iranian policy or the Trump administration. And then, Iranian journalists.” 

Of course, Anderson’s work is ongoing. “Right now, I am trying to see if there is any indication if there has been a specific focus on domestic audiences in the light of current protests,” he said.

While almost all the hacking operations the report has revealed are run by the IRGC, one of them, which the cybersecurity community has named the Magic Kitten, is run by the Ministry of Intelligence, nominally controlled by a minister appointed by President Rouhani (although the group predates the Rouhani government.) 

I asked Anderson if there are noticeable differences between Magic Kitten and the IRGC-run operations. 

“They are definitely parallel operations,” Anderson said.  “I would caveat that by saying that our understanding of the Ministry of Intelligence operations is much more limited, which might show that they are a little bit more sophisticated.” 

Whereas the IRGC operations use “blunt force methods,” the ministry works in “more sophisticated ways,” he said. 

 

So how Powerful are Iran’s Hackers? 

Just how powerful Iran’s cyber capabilities are is often subject to hot debate.

“Though Iran is generally perceived as a third-tier cyber power— lacking the capabilities of China, Russia, and the United States,” the report says, “it has effectively exploited the lack of preparedness of targets inside and outside Iran.”

Tehran-backed hackers have managed feats such as taking Twitter offline for several hours in December 2009 (a group calling itself the Iranian Cyber Army was responsible) and breaching the Dutch security firm DigiNotar in September 2011, allowing Tehran to spy on Gmail users in Iran. The report counts the latter as “one of the largest security breaches in the history of the internet.” 

I asked Anderson how is it that a “third-tier cyber power” manages to pull together such operations. 

“Iran is not even as capable as North Korea [in this regard],” he said, “but it has been pretty good in using its minimal investment. Were the Iran government to focus its resources, it could reach much higher.” 

Anderson counts the 2009 attack by the Iranian Cyber Army on Twitter as an example of Iranian hackers really showing their might.  

“I think I know who the Iranian Cyber Army is,” Anderson said. “It is one person who is not even a great hacker but someone who is really good at social engineering and has been around for at least six years, making money off stealing domain names and then starting to use his skills in the service of the government. This shows the power of one individual to inflict economic harm or political costs or embarrassment on adversaries, if they just have enough time.” 

And that’s another central finding of the report: Many of the hackers serving the Iranian regime are not ideological Islamists, but young geeks out to make quick cash. 

The report also reproduces an online chat between hackers trying to recruit new people to their team.

“If you want to bring someone new, promise them trips to Antalya [on Turkey’s Mediterranean coast] or Thailand,” one of the hackers working for an IRGC project tells his colleague — a reference to a favorite destination for Iranians seeking vacations free from the strict Islamic strictures that are mandated by law in Iran. 

“I can only promise them trips to Qom or Jamkaran,” his interlocutor answers, caustically referring to places of pilgrimage near Tehran. 

“It looked like these were people who needed to make some money and didn’t have a lot of opportunities,” Anderson said. “Then they saw people getting rich out of founding cybersecurity communities and deciding that their client could be the government.”

“I don’t think they are all ideological,” Anderson added. “Some of them are but some have Instagram accounts, which shows they are smoking pot or watch a lot of pornography. Some might be ideological but some are murky opportunists.” 

Anderson said his research also showed that “persisting rumors without any evidence” about Iran receiving support from allies such as the Russian government might not be true. 

“What we know about their capacity shows that they use tools so rudimentary that any individuals with basic experience in computer programming could develop,” Anderson said. “None of the attacks transcended a basic level of skill set. None of the trends we monitored reflect any sort of external involvement.”

A possible exception is Magic Kitten which, according to the findings of the US’s National Security Agency, shared its malware with Lebanon’s Hezbollah around 2010, but even that collaboration was short-lived. 

“Hezbollah probably developed their own malware, possibly better than Iranians,” Anderson said. “We also see that Syrian hackers really owe more to the Arab defacement community and have their own trajectory.” 

After our phone call, Anderson said he would be going back to his computer to finish work on his latest research on the Iranian Cyber Army. I asked about his vision for this kind of research into Iran’s cyber capabilities. He said he wished more attention was paid to ordinary victims of Iranian cyber attacks: The independent journalists and activists, both in Iran and abroad (which include many of those writing for IranWire.com, including yours truly, who has regularly encountered phishing attacks, as recently as two weeks ago.) 

“You look across reports on Iranian cyber capabilities and you see that they are always focused on attacks against defense companies or the government,” Anderson told me. “I think that shows the Iranian civli society being left out of the conversation even though, as we show, they tend to be the primary targets.”

“Iranians are important stakeholders and their needs have to be considered and more support given to individuals,” he said. 

 

Read the full report, Iran’s Cyber Threat: Espionage, Sabotage, and Revenge

comments

Features

Protests in Iran: A Chronology

January 5, 2018
Shima Shahrabi
11 min read
Protests in Iran: A Chronology