Iranian State Hackers Launched Attacks on Same Day Supreme Leader Issued Fatwa Forbidding Privacy Violations
On the same day that Iran’s supreme leader issued a religious ruling ordering the state to refrain from “violating the people’s security and domestic space,” state hackers used malware to access private user information, the Center for Human Rights in Iran (CHRI) has learned.
Malware is a computer program that runs spyware with the aim of collecting information or eavesdropping on the victim after the spyware is installed on a computer or mobile phone. These attacks are heavily used in Iran to monitor, take control of, or block accounts.
The type of malware that was deployed and the people who were targeted indicate that the cyber attacks originated from the country’s security establishment, which includes the Islamic Revolutionary Guard Corps and the Intelligence Ministry.
Hacking citizens’ digital data to access their personal information is banned in Iran by the Cyber Crimes Law but security and judicial agencies have repeatedly broken this law.
37 Targets, Mainly Ethnic and Religious Minority Activists
According to an investigation by CHRI, between October 19, 2017, and April 9, 2018, Iranian state hackers sent malware to at least 37 different targets located inside and outside the country.
They include a media group affiliated with a Sufi order in Iran known as the Gonabadi Dervishes, Sufi and ethnic minority rights activists and Azeri separatist groups.
CHRI has also discovered that these same hackers launched phishing attacks from a domain that listed the city of Ardabil, northwestern Iran, in its registration information.
Phishing is a type of attack that tricks users into providing passwords to the victim’s account. In this type of attack, the hacker uses the information they have about the user, such as their contact list or interests, gains the victim’s trust, and then usually leads the victim to a bait website.
To deceive their victims into voluntarily typing in their personal information on a fake website, the Iranian hackers had created a website with a domain that was similar to that of the Telegram private messaging app, which is widely used in Iran.
CHRI obtained an email with a malware attachment that was sent to a media group supporting Gonabadi Dervishes, located outside Iran, with the subject line: “Four-hour film from 7th Golestan [street in Tehran]. Please inform everyone of the truth.”
The email falsely stated that the attached file was a video showing plainclothes agents attacking dervishes in Iran.
On February 19, 2018, hundreds of Gonabadi Dervishes protested against the arrest of a fellow dervish in front of a police station in Tehran. Three policemen were killed and dozens of dervishes were arrested after security forces tried to repress the protest.
The clashes came to be known as the “7th Golestan” protests because they took place in a Tehran neighborhood located near 7th Golestan St.
If the malware had been activated, the hackers would have been able to remotely control the victim’s online accounts as well as the victim’s computer.
Documents obtained by CHRI show that the hackers used the same malware on December 30, 2017, to attack individuals whose identity has not been confirmed.
CHRI has identified various malware by Iranian state hackers over the last two years.
In one case, state hackers broke into the Facebook account of a women’s rights activist in Tehran on November 6, 2017, and contacted Iranian reporters based in the US and Europe using the contact list of the hacked account. The hackers also tried to remotely control the target’s computer.
CHRI detailed this and several other Iranian state hacking attacks in its January 2018 briefing, “Guards at the Gate: The Expanding State Control Over the Internet in Iran.”