Researchers finds ongoing surveillance campaign from 2014 targeting Iranian expats and defectors

The history of Iranian cyber-offensive operations has shown that the same threat actors responsible for espionage against the private sector are engaged in surveillance of human rights defenders and are significantly more successful.

The relationship between Iran-originated cyber activities and the government, as well as the motivations for such operations, is made more apparent by the lens of such attacks. These communities anticipate tactics and tools that will be used against other targets, and enhanced information will be allowed for more effective education and mitigation strategies.

While the internet has provided Tehran’s security agencies with new opportunities to monitor and intercept communications from their citizens, concurrent information technologies also limit the reach of the state. Iran was one of the first countries to connect to the internet in the Middle East; most of the people used the internet frequently as of March 2017.

Iranian internet users have quickly embraced massive groups of social media and chat applications as forums where there are so many social freedoms. Iranian citizens have relocated their communications to online services hosted outside Iran and protected their interactions by encryption from eavesdropping. They also avoided the more traditional means by which surveillance is carried out by Iranian law enforcement and intelligence agencies.

While local hosting providers and social media could be forced to remove content and disclose account ownership information, platforms that are hosted outside Iran are well beyond the state’s direct reach.

Without great success, the Iranian government has sought to compel foreign firms to comply with user data requests. Iranian officials themselves tend to use communication tools and social media applications developed in the United States Domestic alternatives to foreign services, supported by the state under its national Internet plan, have failed to attract significant adoption.

Besides, millions in the Iranian diaspora live in countries without a security cooperation agreement with Tehran, many of whom left Iran because of state repression, and are less likely to communicate via unsafe Iranian platforms. Therefore, unlike the first two decades after the revolution, the interactions and personal matters of Iranians are increasingly out of the range of the state. The nature of state controls has been fundamentally modified by this dynamic.

The Iranian government has struggled to respond to the internet’s challenges to the state’s monopoly of information and communication. Mandatory content filtering was among their first responses, which entailed blocking access to any sites deemed pornographic, anti-religious, or politically subversive.

However, filtering has become less effective with the wider accessibility of copyright protection tools. Subsequently, the regime was given the ability to reassert some control over information flows and project the illusion of the Islamic Republic’s dominance over the internet by basic offensive cyber operations, such as disrupting adversarial sites through the Green Movement. As the online platforms and tools used by the public change, Iranian cyber operations are highly adaptable. For instance, because of its unfiltered public chat feature and security claims, Iranians moved to Telegram, which gained the attention of Iranian threat actors.

One threat actor appears to have gone as far as mapping all the Telegram accounts associated with Iranian telephone numbers, alongside credential theft operations targeting Telegram users. This information-gathering operation had deeper links with efforts to target the users of the chat application and aligned with recurrent arrests of critical Telegram group administrators. This learning process is repeated for mobile phones and Macintosh computers.

The backdoors were not the only way the attackers attempted to steal data about Telegram accounts. Some of the websites linked to this malicious activity also hosted Telegram: impersonating phishing pages.

Surprisingly, several Iranian telegram channels sent out warnings against these websites or phishing, claiming that the Iranian regime is behind them. The phishing messages were sent by the Telegram bot, according to the channels. The messages warned their recipient that they were making improper use of the services of Telegram and that if they do not enter the phishing link, their account will be blocked. Another Telegram channel provided screenshots of the phishing attempt showing that the attackers set up an account that represents the official Telegram. At first, a message about the features in a new Telegram update was sent by the attackers to appear legitimate. Only five days later, the phishing message was sent and pointed to https:/telegramreport[.]me / active mentioned by Checkpoint.

State-aligned offensive cyber operations routinely focus on similar classes of targets across distinct sets of threat actors and different time periods, primarily: Government officials, Reformist politicians, Media professionals, Religious minorities, Cultural figures, Opposition groups, terrorist organizations, and ethnic separatist movements.