A base affiliated with the Revolutionary Guards is actively recruiting for cyberattacks in Tehran.
May 27, 2016—The findings of the International Campaign for Human Rights in Iran show that after long-standing cyberattacks by the Islamic Revolutionary Guard Corps (IRGC) on civil society activists and journalists, the organization has now expanded its attacks to include officials in the government of Hassan Rouhani, including figures close to him and members of his cabinet. The government of Hassan Rouhani has not publicly criticized the IRGC attacks.
In the latest attack, Shahindokht Molaverdi, the deputy minister for women and family affairs in Hassan Rouhani's government, announced on May 1st, through posts on her Twitter and Telegram pages, that her Gmail and Facebook accounts had been hacked and asked her audience not to respond to messages published on her behalf.
Hadi Ghaemi, director of the International Campaign for Human Rights in Iran, said in this regard: “The violation of privacy through cyber attacks that have been carried out on a large scale and in an organized manner by arbitrary agencies affiliated with military institutions against journalists and civil activists for years has now also targeted officials in the Hassan Rouhani government.” He added: “Given the extensive dimensions of such attacks, the President and officials of the Iranian Ministry of Communications must take serious action to identify and stop these attacks and put an end to the violation of citizens’ rights in this area.”
In addition to Ms. Molaverdi, over the past two years, high-ranking officials in Hassan Rouhani’s government, including a close advisor to him, a cabinet minister, a deputy foreign minister, and Seyyed Mohammad Ali Abtahi, former vice president under Mohammad Khatami, have been targeted by these hackers. Some of these individuals have lost control of their accounts for a period of time or completely.
These attacks are part of a two-year ongoing effort by forces known as the cyber army and non-state security groups that have targeted the online activities of government officials and reformist figures, in addition to civil activists and journalists, and then, after hacking, in addition to using the information they obtain, they also target people close to these figures in a chain.
The campaign has also learned that over the past year, one of the IRGC headquarters has been actively contacting network security experts in Iran, inviting them to collaborate on projects whose main goal is to design cyberattacks using phishing, malware, and Trojan horse techniques, and even threatening them.
An IT specialist who was himself invited to cooperate with the IRGC told the campaign: “This base has promised sufficient salaries to hire these people, and in cases where these specialists have refused to cooperate with this institution, they have intimidated these people, warning them of the consequences of not cooperating with them.”
In all of these cases, after hackers took control of the user accounts of political figures, they quickly contacted people they had been in contact with, especially politicians and journalists, even non-Iranian journalists, so that they could trap other people before the news of the hacking of these accounts became public and make the most of the hacking in the shortest possible time.
The campaign's investigations also show that the Iranian cyber army and security agencies have used three main techniques for such attacks. These techniques are not considered advanced methods, but due to users' lack of familiarity with the basics of maintaining the security of their accounts, these attacks are very effective.
The most common and one of the oldest methods used to attack users is the technique known as social engineering. In this method, the attacker or attackers send a page, such as a Gmail login page, to the user asking them to enter their password and account name in order to access a file that has apparently been shared with them on Google Drive. These attacks are known as phishing attacks. After entering the username and password, the user effectively gives the attacker control of their account.
Those who controlled Ms. Mallaverdi's Facebook account sent an email or Facebook message asking users to open a link (Photo 1). Which actually directed users to a page that was designed like a Gmail login page. After sending these messages, some users, due to trusting the sender and not knowing that their account had been hacked, and of course unfamiliar with such methods of cyberattacks, entered their account information and immediately lost control of their account.
Several of those who lost their accounts for a few hours after Ms. Molaverdi's account was hacked told the campaign that, due to not being aware of the hacking and being careless, they thought they were corresponding with her, and after requesting a code sent to their phone from the hacked account, they gave it up and lost their Telegram and Facebook accounts." (Photo 2)
In the second method, which was widely used during the 10th Majlis elections, and as a result, dozens of journalists and political activists lost control of their accounts, the attacker sent the user a PowerPoint file and asked them to obtain the information they needed from this file. For example, when the Guardian Council was busy reviewing the qualifications of candidates for the elections to the Islamic Consultative Assembly and the Assembly of Experts, after the disqualification of Hassan Khomeini, a PowerPoint file was sent to a large number of journalists with the following text in the email subject: “Breaking News: Hassan Khomeini’s Reaction to His Disqualification.” (Photo 3)
Opening this PowerPoint file installs malware on the victim's device. This malware sends information about the victim's computer to its creators, and as long as the malware is present on the victim's computer, even if the user account passwords are changed, the attackers will still have control.
In the new version of the method, the PowerPoint file containing the malware was compressed into a ZIP file. Activists and journalists received emails with the ZIP file, which claimed to contain the latest photos of the ailing political prisoner, Omid Kokbi. Opening the PowerPoint file inside the ZIP file activated the malware. Hacker attacks often increase during times of special news, so hackers can take advantage of users’ interest in a particular topic to spread the malware.
In some cases, people have been called when they were not online and asked to open an important file they received. They have either been warned that their email has been hacked and that they should change their password immediately, or, in the case of those who have enabled two-factor authentication on their accounts, they have been asked to give them a code sent to their phone over the phone under various pretexts.
A journalist who was targeted by hackers after one of these officials was hacked told the campaign: “I received a message on GChat from Mr. … asking me to open a file and I became suspicious because I had not been in contact with him for years. When I clicked on it, I saw that the URL was fake and I was sure that his email had been hacked. Then I received a phone call with a London code from someone complaining why I was sending him irrelevant emails. I didn’t know him at all and I didn’t understand what he was talking about. When I went to my Gmail, I saw that the email was from Google saying that people were trying to hack my Gmail. When I looked at the email address instead of google.com, I saw that it was qooqle.com , which was also an attempt to hack my account.”
In the third method, which we have seen an increase in this type of attack on Iranian users in recent weeks, the attacker sends a password change request to Facebook, Gmail, and Telegram accounts, causing a special code to be sent to the users' phone numbers via SMS to change their passwords.
***
Source: International Campaign for Human Rights in Iran
