Iranian hackers who are largely employees or affiliates of the government are running a big cyberespionage operation equipped with surveillance tools made to outsmart encrypted messaging systems. It is an ability Iran didn’t have a few days ago according to the digital security reports released recently.
According to reports by Check Point Software Technologies which is a cyber-security technology firm and Miaan Group which is a human rights organization that focuses on digital security of Middle East, domestic dissidents, religious and ethnic minorities and anti-government activists abroad are common targets in this operation and can also be used for spying on the general public inside Iran.
The reports were reviewed in advance by The New York Times before their release and they said that the hackers have infiltrated the secure mobile phones and computers belonging to targets by overcoming obstacles created by encrypted applications like Telegram and gaining access to information on WhatsApp as stated by Miaan. Both of them are Iran’s most popular messaging apps. The reports say that hackers have now created malware in disguise of Android applications.
A Telegram spokesperson said that they were not aware of the Iranian hacker operation but no service can prevent getting imitated in “phishing” attacks when someone tries to convince a user to enter their credentials on a malicious website. WhatsApp has however not commented anything on this matter.
The reports also showed important advances in the competency of Iranian intelligence hackers and they come with warnings from Washington stating that Iran is using cybersabotage for influencing US elections. Federal prosecutors have recently identified two Iranian individuals who said to have hacked into US computers and stole data on behalf of Iran government for financial gain.
Amir Rashidi, who is the director of digital rights and security at Miaan and the researcher for this report stated that Iran’s behaviour on the internet from censorship to hacking has became a lot more aggressive. A report by Check Point’s Intelligence Unit says that the cyberespionage operation was set up in the year 2014 and its full capabilities remained undetected for around six years. Miaan traced the first operation to the month of February in the year 2018 from a email that was targeting Sufi religious group in Iran after a confrontation between their members and Iranian security forces.
The malware used in that attack and other attacks in June 2020 were traced to a private technology firm in Iran’s northeast city of Mashhad named Andromeda. The researchers of Miaan also found that Andromeda had a pattern to attack activists, ethnic minority groups and separatist opposition groups and had also developed phishing and malware tools to target the general public.
A Miaan report has stated that the hackers aimed to steal information about Iranian opposition groups at Europe and United States and spying on Iranians who use mobile applications for planning protests.
The common victims of these attacks included Mujahedeen Khalq or MEK, which is an insurgent group that is considered as a terrorist organization by Iranian authorities; Association of Families of Camp Ashraf and Liberty Residents; the Azerbaijan National Resistance Organization; citizens of Iran’s restive Sistan and Balochistan province and HRANA which is an Iranian human rights news agency. Miaan has also said that human rights lawyers and journalists who are working for Voice of America are also being targeted.
Check Point has also stated that the hackers use a large number of infiltration techniques like phishing but apart from that, they mostly send tempting documents and applications to particularly selected targets. One of them is a Persian document named “The Regime Fears the spread of the Revolutionary Cannons.docx” that refers to the struggle between the government and MEK and sent to the members of that movement. Another document which was disguised like a report was widely awaited by the human rights activists on a cybersecurity researcher.
The documents had a malware code which activated spyware commands from an external server when recipients opened them on their phones or desktops. The Check Point Report also said that the targets have been mostly the organizations and opponents of the government who left Iran and are now residents of Europe. Miaan had documented targets in United States, Turkey, Canada and European Union.
The spyware helped the attackers to access any file, log, clipboard data, steal information and steal screenshots. Miaan has said that one application helped hackers for downloading the data stored on WhatsApp. The attackers also found a weakness in the installation protocols of encrypted applications like Telegram which were always termed as secure, allowing them to steal the installation files of the apps.
The files then allowed the attackers to use the Telegram accounts of the victims. The attackers can’t decipher the encrypted communications of Telegram and this is later considered as unnecessary. Instead of this, they use the stolen installation files for creating Telegram logins and activating the app in the victims’ name on another device. The attackers can then monitor the Telegram activity of their victims.
Lotem Finkelstein, who is the head of threat intelligence at Check Point stated that the cutting-edge surveillance operation was successful in going under the radar for six years. The group has easily maintained a multiplatform for targeted attack with mobile, desktop and web attack vectors which left no evasion path for victims on the target list. The attackers have designed their cyberweapons to technically target the instant messaging apps along with the secured apps.
Finkelstein also said that the hackers might be freelancers employed by Iranian intelligence as proved in previous Iranian hacking cases. The infrastructure of the operation led Check Point to conclude by saying that the attacks have been administered by Iranian entities against regime dissidents.