This is a caption

[/caption]

This is a caption.
Translation by Mostafa Rahmani

Last year, a group of hackers, possibly affiliated with the Iranian government, launched an organization to support their cyber attacks. These attacks, carried out by the hackers’ malware, infected the computers of human rights activists and dissidents inside and outside of Iran, connecting back to several servers under their control.

At that stage, “Colin Anderson” and “Claudio Guarnieri”, two independent security researchers who had been monitoring Iranian hackers for 3 years, found an opportunity. They registered a series of domains connected to the hackers’ infrastructure and waited.

Six months later, each of the Iranian human rights activists would send their information to hackers and researchers simultaneously for hacking purposes.

Guarneri, a technologist at “Amnesty International” and a member of “Citizen Lab” says: “They never realized that we have been monitoring everything completely for several months.”

Not only did these two researchers successfully collect information from the victims, but at one point, when hackers were testing a new type of malware, they also sent their information to command and control servers, and as a result, to Anderson and Guarnieri servers.

In this way, two researchers were able to obtain hackers’ marks, their accounts, IP addresses, and unique computer identifiers, along with “all of these things”. These two researchers would tell me about this matter with embarrassed laughs during the interview in Las Vegas.

Last week, Anderson and Guarnieri published a 50-page research paper that documented 300 individual cyber attacks on activists in Iranian hacking campaigns over the past three years.

These researchers say that their research shows that despite the continuous focus of the media on hacking by foreign governments, companies, and critical infrastructure by Iranian hackers, these hackers are mostly trying to spy on Iranian citizens both inside and outside the country.

Guarneri, referring to the fact that hacker techniques are not exactly advanced but effective, continues, “They gain a lot; they are progressing rapidly, which is a sign of the possibility of worsening conditions in the near future.”

For example, these two researchers show an old “phishing” scam sent to one of the activists. The email was cleverly crafted to easily grab the attention of anyone with little knowledge about malware. For instance, this email was sent by “CIA Security Program!” and asks the recipient to send anonymous reports to the spy agency by installing an “exe” file.

Three years later, these phishing attacks were no longer claimed to be sent from the CIA, but rather, as they say, by officials from the “Immigration Office”. These new emails were trying to convince the reader that they should be concerned about immigration paperwork by highlighting the number of Iranians living outside the country with visas. The appearance of these emails had become more professional and believable.

In this research, which is a part of a larger research project and will be published this year by the Carnegie Endowment for International Peace in Washington, Anderson and Guarnieri describe the activities of four different Iranian hacker groups named “APT33”, “Charming Kitten”, “Rocket Kitten”, and “CopyKittens”.

Their work [research] is not just a deep look into the activities of Iranian hackers against civil society, based on previous research and covering it; it is also a testimony that it is not necessary to have an antivirus company in order to access malware through accessing thousands of computers around the world.

The method that Anderson and Guanieri used was to establish relationships with communities targeted by hackers.

Guaneiri says: “We do not set up data centers, we do not have access to cloud information or anything else. But we have access to a source that probably no security company has access to, which is a network made up of people.”

These two researchers formed this network by directly communicating and connecting with Iranian opponents and reaching out to their groups and communities. For example, Anderson was chosen as an expert for Iranian internet issues. This researcher, based in Washington DC, repeatedly states: “Having such trustworthy relationships with those communities allowed us to create our own version of surveillance systems on those systems.”

Throughout these years, these two officials have been in contact with Iranians who had received suspicious emails; it’s not an easy task to build trust in such situations. Anderson remembers one time when a friend of his connected him with someone who had received a threatening email. At first, the person didn’t believe him. Anderson says, “I told him, you don’t know me, but you’re in danger.” Anderson continues, “Sometimes they didn’t believe me and I had to say, well, here are a few files from your computer.”

After three years of collecting evidence and behind-the-scenes work on malware, following the disclosure of the infiltration group by security company Palo Alto in early May, two researchers decided to make their work public this summer.

This security company, with the guidance of data traffic that was going to hacker’s buttons, had disrupted the operations of hackers on their control servers during the Iranian weekend holidays. According to Anderson and Guarnieri, when the offline days and lack of access to hacker servers ended and they returned, they checked all servers with fear and madness to understand what had happened.

At that stage, two researchers came to the conclusion that it is time to make it public. They believed that exposing their tactics not only helps potential victims be more careful, but also prevents future operations of hackers.

Goharneeri says: “If we don’t take action, we can’t stop them. Of course, the publication of [this research] doesn’t stop them, but it creates a kind of economic tension between the cost of investing in the formation and maintenance of these campaigns and their publication.”

However, despite the discovery of approximately 300 attacks, these two researchers emphasize that this is likely just the tip of the iceberg. They urge the security industry to take action, assist in gathering more cases, and share samples of malware.

Goaraneeri says: “The communities [of Iranian activists] that we are in contact with are completely abandoned and helpless, they are not anyone’s customers, and they are not protected technically by anyone. It is truly a very difficult task for us to handle it alone.”

Explanation:

This article is a translation of the peace line from Lorenzo Francisci’s report, which was published on August 11th of this year on the Motherboard website.