This is a caption

This is a caption
Kian Rafiei

In the list of five-year development plans in Iran, attention to cyberspace as a non-military defense tool, along with its importance in information dissemination and organization, has always been of interest to policymakers in the country. However, with a pessimistic view of officials, it has turned into a tense space between citizens and security agencies. In such a space, the issue of “security” becomes important for users.

In light of the increase in cyber activities by the Iranian government, particularly targeting political activists and members of civil society, we have turned to “Collin Anderson”.

Colin Anderson is considered one of the most well-known experts in cybersecurity, especially in the field of Iran. Mr. Anderson is a prominent security specialist with a focus on internet control and communication restrictions. As an independent researcher, he has extensively collaborated with numerous academic institutions on public interest issues. He currently resides in the capital of the United States.

Colin Anderson has a long history in overseeing international sales of surveillance equipment, identifying violators of export and sanctions in the field of eavesdropping and infiltration tools, government cyber attacks, and researching new communication methods to bypass filtering. He is also among the experts on the project to create a “national internet” in Iran and disconnect from the global network. Colin has multiple academic articles on the internet in Iran, including “Filtered Documents: Censorship of Wikipedia in Iran (2013)”, “Internet Weakening: Identifying Bottlenecks as a Censorship Mechanism in Iran (2013)”, “Hidden Internet in Iran: Private Allocations in the National Network (2012)”, and “Wikipedia Censorship Project in Collaboration with the University of Pennsylvania’s School of Communications”.

Mr. Anderson is a defender and advocate of freedom of expression in cyberspace and a supporter of the idea of holding human rights violators accountable.

Allow me to refer to the first question, which is that recently you have published some articles about cyber activities of the Iranian government or its affiliated forces. Is this attention due to your belief that these types of activities have increased? If your answer is positive, could you provide further explanation?

Since the beginning of protests against the results of the tenth presidential election in Iran in June 2009, which raised the issue of fraud, Iranian cyber groups (affiliated or under the protection of government security agencies) have launched espionage campaigns against targets inside Iran and the Iranian community abroad. These attacks have been carried out using malware and phishing. In the initial stages of their activities, these groups were not sophisticated, so we are witnessing a learning process over time. Although these groups are not the most advanced in the world, they have always been agile and have learned and used new tricks. This evolution in their behavior and professionalism over time has been the most interesting change to me.

However, instead of a significant increase in the volume of activities towards a specific goal, it seems that these groups focus on certain goals for a limited period of time in response to the needs and political conditions of the country and the region, and then abandon these goals and move towards new goals within the framework of responding to new needs. For example, we may not witness cyber attacks against activists for more than a few months, as attention has now shifted towards cyber warfare with Saudi Arabia, ISIS, and others.

Therefore, the activities are consistent and ongoing, but the goals are changing. For example, these groups may target the Baha’i community members for one month and then change their focus and dedicate themselves to organizations defending the rights of the Kurds the following month.

Allow me to give an example to clarify the subject: Some of the most active activities of these groups were during the presidential election period and also during the previous parliamentary elections, when several groups of political activists and even individuals affiliated with the political camp of reformist candidates were targeted. Based on these past experiences, we can now expect their activities to increase again towards internal goals as the presidential election approaches and the political situation in the country changes.

Based on the fact that you have monitored the cyber activities of Iranian government-affiliated forces, in your opinion, what are the most common methods and tactics that cyber forces use against Iranian civil activists?

Civil activists should be called “soft targets”, meaning that this group does not have advanced training to protect their security [in cyberspace and communications] or the necessary tools to protect themselves against a motivated enemy. This means that cyber forces under the protection of the Iranian government tend to choose their most important targets from the simplest ones; targets that do not require advanced techniques (such as malicious codes) to challenge them. The technique used in the attacks that we have monitored and documented is mainly accompanied by “social engineering”; convincing the victim to execute malware or give their password through fake pages.

We often see these hacker groups hacking into an active person’s account in a group or arresting one of the members of this network, then they pretend to be that person and target their network. They present themselves as an acquaintance in order to send messages under the title of “secure documents” or photos to dozens of people in that circle. In fact, these messages contain malware or fake login pages like Google’s fake login. In other cases, they start a conversation with messaging apps like Hangouts or Telegram and tell the person in front of them to send the “conversation code” and they must be sure that the conversation is secure by repeating sending that code. This “conversation code” is actually a code sent by Google or Telegram to change the password or log into an application and through it, the hacker can take control of the victim’s account.

The newest method – which is probably the most dangerous of its kind so far – is the issue of cooperation between telecommunication companies like Irancell and security institutions, which are forced to comply in order to continue their operations in Iran. This is a problematic issue because many online services, such as Telegram accounts, Google recovery, etc., are linked to people’s phone numbers. Therefore, in practice, a security institution can go to a mobile operator company and obtain the security code. With this action, they can easily enter accounts without the cooperation of the app developer or deceiving the user. We have documented several cases of this nature so far.

In addition to the topic of general knowledge, users’ concerns about security that you mentioned, do you think that due to sanctions, Iranian people have been deprived of access to many software and internet services, including reputable antivirus programs, has had an impact on weakening the security of Iranian users?

Certainly, this is the case. This was the main topic of our discussion with the US government; when we asked them to issue a “general license” for exempting information technology from sanctions.

Let me give an example for this topic: Perhaps the simplest example is local VPNs; imagine in the absence of reputable and well-known service providers, there is now a thriving market for tools to bypass filters within the country, openly sold and operating with domestic bank account numbers. The problem here is that these VPN providers have full access to their users’ data traffic, which is a security risk.

Who manages these services and how trustworthy are these individuals? We know that those who sell these VPNs are market sellers and not necessarily the designers or technical admins of the VPNs; they are another unknown group. It should not necessarily be about their relationship with the government, but even privacy and confidentiality of financial information and personal conversations are important.

For this reason, namely the lack of access to applications (other than the Cafe Bazaar website), Iran has the highest rate of malware on mobile devices. The restriction on downloading the “Google Authenticator” (an application for verifying real ownership) that recently ended is another example. This tool protects accounts from phishing attacks that were limited due to Google’s adherence to sanctions.

In addition, the lack of access to licenses and software updates has also made them vulnerable to even the simplest malicious codes on Iranian users’ devices. Despite all the mentioned limitations, Iranian users are forced to install malware-infected applications.

In short, restrictions on access to software and services provided by the company due to sanctions make citizens vulnerable to political espionage by the government, as well as commercial theft and criminal groups.

Can you tell the audience which foreign companies are collaborating with the Iranian government in the field of education, sales, or providing hacking and espionage equipment?

In my opinion, Iran’s control of information has shifted from foreign support to domestic support through local tools in recent years. It is important to remember that the United States has imposed additional sanctions on providing such equipment to Iran (and also Syria). This means that if a seller cooperates with the Iranian government in this regard and this cooperation is exposed, that service provider will be removed from the US market and even the global market. It seems that for several years, Chinese companies have provided some traffic monitoring and telephone equipment for the Iranian government. But in my opinion, this trend has increasingly moved towards Iranian companies and domestic production based on Iran’s technological expertise and isolation due to human rights issues.

Apart from the technology and hardware that I mentioned, when we talk about hacking, it can be said that hacking mainly uses local knowledge resources. Iran has been active and experienced in the field of hacking for a long time. Iranians interested in computer security can gather in forums and online groups and discuss and exchange ideas about hacking websites as a destructive hobby. And you surely know that the line between hobby and destruction is very thin! Such activities do not even require advanced equipment. We have seen cases where hacker groups have used commercial software available for spying on victims, which is a warning and threatening issue.

In hacking, it is necessary to spend time focusing on goals before foreign technology is needed. That is why you see every group – from religious individuals to women and those addicted to drugs or breaking the law – as members and active participants in these campaigns.

What is your opinion about the national internet project in Iran? Iranian authorities have announced the start of its first phase.

Recently, I wrote an article on how a national internet can be a safe internet in other places, but not in Iran.

The national internet in Iran actually requires telecommunication companies and the government to develop performance and reliable network infrastructure within the country. This is a positive progress, as the internet in Iran is very unstable and slow. However, in Iran, there is a problem similar to the current issue with mobile service providers, and that is the request for cooperation from security agencies to these companies.

The national internet is similar to Aparat (a video sharing website within Iran). Unlike YouTube, which is filtered, Aparat is easily accessible and has the ability to play high-quality videos for users. The user section also has more Persian content and is designed specifically for domestic audiences. The problem arises when, for example, a non-governmental group like “Majlis Watch” posts a video that challenges the government, and if such an action is taken, their account is likely to be closed at the request of government institutions. It is also unlikely that Aparat will be able to resist such a request.

In general, in terms of specific aspects, a national internet provides more content and better connection for the user. However, when we make it restricted and heavy, there is a limited space left for critical discussions.

How do you see the future of censorship and filtering on the internet in Iran?

It seems that the Rouhani government has been trying to slow down the filtering process as part of its commitment to social freedom, especially in resisting requests to shut down applications like Telegram. These efforts have been relatively successful. The number of filters imposed has decreased compared to three years ago and during the Ahmadinejad era. Future developments that I can predict will largely depend on the structure of the censorship system, which will occur in two different dimensions.

First, where filtering is applied: Currently, most of the filtering volume at the international gateway is done by government communication infrastructure companies. This centralization is problematic because it can be a source of failure. The goal of the internet is to decentralize and help with more connections, but the internet in Iran is moving in the opposite direction. If the filtering system fails, two scenarios arise; either users have access to anywhere, or the entire internet of the country is taken to the abyss.

In fact, it was never intended for the internet to be like this, before the centralization of filtering, ISPs were required to implement filtering. It seems that with the emergence of the mentioned threat dimensions, the implementation of filtering is now returning to the direction of ISPs, meaning that filtering is happening closer to the user.

The second dimension is the method of filtering: National internet is not a new experience in itself, so we can pay attention to its experiences in other places. In similar experiences, censorship is applied through adaptation, not by blocking. This model is used in China. If users move towards using domestic applications and services, the censorship they face – like the example I mentioned earlier about the Aparat website – is mostly based on the removal of that content by the website’s support, which has been done at the request of the government rather than being a technical limitation.

Thank you for the opportunity you have given us.