Iran Focus
London, 07 Mar – It may be easy for some to underestimate Iran’s cyber threat to the US, given that most analyses describe Iran’s offensive cyber capabilities as fractured, decentralized, and inferior to other states, but make no mistake, what Iran lacks in technique it makes up for in persistence.
In a recent report by the Carnegie Endowment for International Peace, entitled Iran’s Cyber Threat: Espionage, Sabotage, and Revenge, they assess that the majority of Iran’s espionage and sabotage campaigns have been against “soft” foreign targets, but that Iran will “strategically engage in disruptive and destructive attacks”.
Iran’s cyber threat programme is one way for Iran to attack its enemies without the military strength that the US or Saudi Arabia have.
Researcher Collin Anderson assess in a report that these Iranian hacking groups, which are acting under the command of the Ministry of Intelligence and the Islamic Revolutionary Guard Corps, target Iranian dissenters as well as the government and commercial institutions of foreign countries (especially Israel, Saudi Arabia, and the US).
These hacking groups often have overlapping tactics and share resources, including malware, infrastructure, and attack methods. The most significant hacking groups include:
APT33: Discovered in 2017 by cyber security firm FireEye, this group has been launching hacking and spear phishing attacks against aerospace and petrochemical companies in the US, Saudi Arabia and South Korea.
APT34 (aka OilRig or Helix Kitten): Mainly conducts spying and reconnaissance missions against many industries in the Middle East.
APT 35 (aka Newscaster, NewsBeef or Charming Kitten): Creates fake journalist accounts to trick people into visiting phoney websites that secretly downloads malware to track visitors and harvest their information.
What is the US doing?
The US used cyber warfare to attack Iran back in 2007, targeting their nuclear facilities.
The US has also handed down in-absentia federal indictments of seven men- including Hamid Firoozi, was also charged with hacking into the control system of a New York dam- connected to the Iranian government and the IRGC for the DDoS attacks on the US financial sector.
Cyber attacks against the US have gone down in recent years, but many, including Martin Libicki, a senior management scientist at the global think tank organization RAND Corporation, believe this is because Iran is attacking regional foes instead.
Indeed, Iran, which is heavily involved in both the Syrian and Yemeni civil wars, has been attacking Saudi Arabia and the Gulf Cooperation Council who are on the opposite side of the wars.
It is noteworthy that parallel to its malign cyber activities outside Iran, a new report by Iranian opposition coalition, the National Council of Resistance of Iran (NCRI) sheds light on Iran’s desperate campaign to adapt its surveillance and censorship equipment in order to survive now that the internet is so commonplace.
The report, entitled “Iran: Cyber Repression: How the IRGC Uses Cyberwarfare to Preserve the Theocracy”, exposes how Iran covertly and overtly spies on its citizens and spreads propaganda across social media.
The NCRI also provided a list of Regime-created variations of the Telegram app, promoted as Farsi versions, which Iran wanted to trick the public into downloading in order to spy on their internet activity, identify and arrest activists, and introduce malware that would prevent the user from accessing opposition channels.
The most downloaded of the Iran’s apps is Mobogram, developed by Hanista, a front company for the Iranian Revolutionary Guards (IRGC).
Iran even slowed down or blocked traffic to the official Telegram app to force people into downloading their versions.
Iran is specifically targeting Telegram because it has over 40 million users in Iran and was widely used by protesters in the uprising at the start of 2018.
Iran even got its malware-filled apps onto Google Play and Apple’s App Store, which violates the terms of service for both stores. Google has since identified one and removed it, but there are more on there.
Alireza Jafarzadeh, the deputy director of the NCRI’s Washington office, said: “The Iranian regime is currently hard at work to test the success of these apps on the people of Iran first. If not confronted, its next victims will be the people of other nations.”
Jafarzadeh added that the unit responsible for this surveillance is the same one tasked with cyber warfare against the West.
