Religious minorities and political and civil rights activists in Iran were among those most heavily targeted, along with ethnic minorities, in particular Azerbaijanis. (Wired)

By Ashkan Khosropour and Ebrahim Ramezani

September 22, 2020

Hackers loyal to the Iranian regime have stepped up their routine targeting of opposition groups and groups supporting the rights and interests of Iranian ethnic and religious minorities, a new report reveals.

On September 18, the website Check Point Research, a cyber threat investigation site, published a detailed report on organized and extensive attacks carried out by Islamic Republic hackers against opposition groups and individuals. Religious minorities and political and civil rights activists were among those most heavily targeted, along with ethnic minorities in the country, in particular Azerbaijanis.

The report outlined how hackers with links to the Iranian government successfully gained access to information kept on the personal computers and smartphones of human rights activists, lawyers and journalists.

Check Point Research said hackers had used a range of methods, including what the report described as “four variants of Windows info-appropriation devices intended to steal the victim’s personal documents as well as access their Telegram Desktop and KeePass account information,” “an Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more,” and “Telegram phishing pages, distributed using fake Telegram service accounts.”

Babak Chalabi, spokesman for the Azerbaijan National Resistance Organization, who currently lives in the US, fell victim to these attacks in October 2018. “In recent years I had received many suspicious emails, but not opened any of the links embedded in them,” Chalabi told IranWire. “After an interview with [the Dubai-based] Al Arabiya television about cyberattacks, I received an email from somebody who claimed to be Al Arabiya’s editor. The email wanted me to have a look at complaints the network had received about my interview. After I opened the link I was taken to a weblog that appeared to be normal, so there was nothing there to make me suspicious. But later I noticed changes in my personal computer and after doing some research I found out I had been targeted by the Islamic Republic’s cyberattacks.

“After conducting a study of online attacks, doing additional research and contacting others, I found out that more than 70 Azerbaijani activists [in the US and in European countries] have fallen victims to these attacks.

“After I was targeted by cyberattacks, my personal information and information about the organization I am associated with were posted on various social media sites. I am going to file a complaint against the Islamic Republic because of these attacks,” Chalabi told IranWire.

Other Prime Targets: Dervishes and Religious Minorities Activists

Cybersecurity Amir Rashidi spoke to IranWire about the most recent methods hackers had used against Iranian targets. Attacks included sending infected files via the Telegram messaging app, and programs that infiltrate devices and captured screenshots and other information to spy on victims and their activities.

The familiar but still effective method of “phishing” is also regularly used to steal information. The unsuspecting victim is directed to a fake site that resembles the genuine site he or she was intending to access, and then gives away information such as passwords to the site believing it to be secure.

“These attacks have been carried out mainly against activists for the rights of ethnic and religious minorities, including Gonabadi dervishes and other activists who have been in contact with them,” says Amir Rashidi. He adds that the majority of the victims had used devices with Windows or Android, but he says, “this does not mean that other operating systems are secure and impenetrable. It is just that this specific group of hackers focused on these operating systems.”

The Fake Israeli Agent

Chalabi says that, according to information he received from US security authorities after the attacks, they were launched from Urmia, the capital of West Azerbaijan province. “Cyberattacks carried out on my personal computer were directed from Tehran but they were launched from Urmia,” he says. “Last month there were other attacks as well. It was by a person who presented himself as somebody who worked with an Israeli anti-terrorism agency. This time, however, I was more experienced and after consulting computer security experts and research I found out the email was not sent from such an agency. And the domain in the link was ‘OG’ not ‘ORG’.

“Last year, in addition to cyberattacks against me, I was followed by the Islamic Republic’s spies when I had traveled to Turkey to meet my family. “I was approached by individuals at a restaurant. They threatened me and said ‘Mr. Chalabi, we have our eyes on you.’ I reported the threat in detail to Turkey’s security police and I was protected by the Turkish police until the day I left.”

Of course, the Islamic Republic does not limit its cyberattacks to Iranian citizens or opposition groups.

On Thursday, September 17, US Attorney for the Eastern District of Virginia, unveiled an indictment charging three computer hackers, “all of whom were residents and nationals of the Islamic Republic of Iran, with engaging in a coordinated campaign of identity theft and hacking on behalf of Iran’s Islamic Revolutionary Guard Corps… in order to steal critical information related to United States aerospace and satellite technology and resources.” They were identified as Said Pourkarim Arabi, 34, Mohammad Reza Espargham, 25, and Mohammad Bayati, 34. They were all Iranian nationals residing in Iran.

According to the indictment’s allegations, the defendants’ hacking campaign, which targeted numerous companies and organizations in the United States and abroad, began in approximately July 2015 and continued until at least February 2019. The defendants at one time possessed a target list of over 1,800 online accounts, including accounts belonging to organizations and companies involved in aerospace or satellite technology and international government organizations in Australia, Israel, Singapore, the United States and the United Kingdom.

New Hacker Tricks

Another human rights activist who has fallen victim to some of these sorts of attacks told IranWire he had received many suspicious emails in recent years, though he had never opened links in the emails. Nevertheless, he says he has downloaded files about legal matters from various sites and he guesses that his computer could have been compromised as a result.

He says that at one time hackers got control of his Telegram account when the app was open on his desktop and sent infected files to a human rights group. According to him, the names of the files were changed in a way that suggested they could have contained information about a human rights activist.

“A review of these hackers’ activities show that they had considerable information about their victim before the attack and knew how to make him download something or run a certain program,” says Rashidi. “The hackers knew that one of their victims was not fluent in the language of the country where he lived and he wanted to find some information about a government company. The hackers put this information on a Persian-language app and managed to attract the attention of the victim.”

Hacking through App Stores

Interviews with some of the victims of theses cyberattacks shows that they have used free software to perform their personal or professional tasks. In many cases, the victims have downloaded software from the first site they found and, of course, these sites do not necessarily provide users with secure files.

According to Amir Rashidi’s research, in the last few years, hackers have created at least seven applications to compromise their targets’ accounts or compromise their victims, and they have been successful in stealing their information, usually via Instagram or Telegram. Some of these applications were offered on sites such as Café Bazaar, an Iranian Android marketplace. One of these malignant applications was removed from Café Bazaar, but after a while it was returned to the site.

So how can anyone remain secure online, especially an Iranian activist? In addition to using two-step authentication many sites offer and using other innovative, up-to-date tools to control internet traffic, says Rashidi, people must educate themselves about the tricks employed by hackers and readily available to almost anyone with a good sense of how technology currently works.

Iran Wire

About Track Persia

Track PersiaTrack Persia is a Platform run by dedicated analysts who spend much of their time researching the Middle East, in due process we fall upon many indications of growing expansionary ambitions on the part of Iran in the MENA region and the wider Islamic world. These ambitions commonly increase tensions and undermine stability.