A headquarters affiliated with the Islamic Revolutionary Guards Corps is actively recruiting personnel in Tehran for cyber attacks.
April 27, 2016—Findings from the International Campaign for Human Rights in Iran show that after civil activists and journalists who have long been targets of cyber attacks by the Islamic Revolutionary Guards Corps, this institution has now expanded its attacks to the officials of Hassan Rouhani’s government, including figures close to him and members of his cabinet. Hassan Rouhani’s government has not publicly criticized these attacks by the Guards Corps.
In the latest attack, Shahindokht Mowlaverdi, Deputy for Women and Family Affairs in Hassan Rouhani’s government, announced on April 20 by posting on her Twitter and Telegram accounts that her Gmail and Facebook accounts had been hacked and asked her contacts not to respond to messages being posted from her accounts.
Hadi Ghaemi, director of the International Campaign for Human Rights in Iran, said on this matter: “Privacy violations through cyber attacks, which have been carried out systematically and extensively for years by authoritarian bodies affiliated with military institutions against journalists and civil activists, have now also targeted officials of Hassan Rouhani’s government.” He added: “Given the extensive scope of such attacks, the President and officials of Iran’s Ministry of Communications and Information Technology must take serious action to identify and stop these attacks and end violations of citizens’ rights in this area.”
In addition to Ms. Mowlaverdi, over the past two years, high-ranking officials of Hassan Rouhani’s government, including an advisor close to him, a cabinet minister, a deputy foreign minister, and Mohammad Ali Abtahi, a former vice president under Mohammad Khatami, have been targeted by these hackers’ attacks. Some of these individuals lost control of their accounts for periods of time or completely.
These attacks are part of a continuous two-year effort by forces called the Cyber Army and security groups outside the government that have targeted the internet activities of government officials and reformist figures, in addition to civil activists and journalists, so that after hacking, in addition to using the information they obtain, they systematically target people close to these individuals.
The Campaign has also learned that over the past year, one of the headquarters of the Islamic Revolutionary Guards Corps has been actively in contact with network security experts in Iran, inviting them to cooperate on projects aimed at designing cyber attacks using phishing, malware, and trojan methods, and has even threatened them.
An information technology specialist who was himself invited to cooperate with the Guards Corps told the Campaign: “This headquarters has promised adequate salaries to employ these individuals, and in cases where these specialists have refused to cooperate with this institution, through intimidation of these people, it has warned them about the consequences of not cooperating with itself.”
In all these cases, after hackers gained control of the accounts of political figures, they quickly contacted people who had been in contact with them, especially politicians and journalists, even non-Iranian journalists, so that before the news of the hacking of these accounts became public, they could trap other individuals and maximize their benefit from hacking people in the shortest time.
The Campaign’s investigations also show that Iran’s Cyber Army and security institutions have used three main techniques for such attacks. These techniques are not considered advanced methods, but because of users’ unfamiliarity with the basic points of securing their accounts, these attacks are very effective.
The most common and one of the oldest methods used to attack users is techniques called social engineering. In this method, the attacker or attackers send a page similar to a Gmail login page and ask the user to enter their username and password to access a file that appears to have been shared with them on Google Drive. These attacks are known as phishing attacks. After entering the username and password, the user effectively puts control of their account in the hands of the attacker.
Those who had control of Ms. Mowlaverdi’s Facebook account asked users to open a link by sending an email or Facebook message (Image 1), which actually directed users toward a page that was designed to look like a Gmail login page. Some users, after sending these messages, due to trust in the sender and being unaware of the hacking of their user account, and of course unfamiliarity with such methods of cyber attacks, entered their user account information and immediately lost control of their user account.
Several people whose accounts were compromised for hours after Ms. Mowlaverdi’s account was hacked told the Campaign that due to being unaware of the hacking and carelessness, thinking they were corresponding with her, after a code that was sent to their phone by the hacked account, they handed it over and lost control of their Telegram and Facebook accounts.” (Image 2)
In the second method, which was widely used during the elections for the tenth parliament and as a result dozens of journalists and political activists lost control of their accounts, the attacker sends a PowerPoint file and asks the user to retrieve the required information from this file. For example, at a time when the Guardian Council was reviewing the qualifications of candidates for the elections to the Islamic Consultative Assembly and the Assembly of Experts, after Hassan Khomeini’s qualifications were rejected, a PowerPoint file was sent to a large number of journalists with the subject line: “Breaking News: Hassan Khomeini’s Reaction to his Disqualification.” (Image 3)
By opening this PowerPoint file, malware is installed on the victim’s device. This malware sends complete information about the victim’s computer to its creators, and as long as this malware exists on the victim’s computer, even if the passwords of user accounts are changed, control will remain in the hands of the attackers.
In a new version of this method, the PowerPoint file containing malware was placed in a compressed zip file. Activists and journalists received emails with this zip file claiming to contain the latest photos of the ill political prisoner Omid Kokabi. Opening the PowerPoint file inside the zip file activated the malware. Hackers’ attacks are usually increased at times when special news is published so that hackers can use users’ interest in the special topic to spread malware.
In some cases, if people were not online, they were called and asked to open an important file they had received. Or they were warned that their email had been hacked and they should quickly change their password, or in the case of those who had activated two-factor authentication for their accounts, for various pretexts they were asked to provide the code sent to their phone over the phone.
A journalist who became a target of hackers after the account of one of these officials was hacked told the Campaign: “I received a message on Google Chat from Mr. … asking me to open a file, and because I hadn’t been in contact with him for years, I became suspicious. When I clicked on it, I saw that the URL was fraudulent and I was certain that his email had been hacked. After that I received a phone call with a London code where someone complained about why I was sending him unrelated emails. I didn’t know him at all and didn’t understand what he was talking about. When I checked my Gmail, I found an email from Google saying that people were trying to hack my Gmail. When I looked at the email address, instead of google.com, I noticed it was qooqle.com, and that was also an attempt to hack my account.”
In the third method, which we have seen increase in recent weeks with attacks on Iranian users, the attacker, by sending a password change request to user accounts on Facebook, Gmail, and Telegram, causes a special code for changing passwords to be sent to users’ phone numbers via text message.
***
Source: International Campaign for Human Rights in Iran
