Spear Phishing in Tehran

Iranian hackers are increasingly using the tools of cyber-espionage against exiles and dissidents.

GettyImages-170323801crop
GettyImages-170323801crop

The email arrived on the afternoon of March 9, 2016, and it appeared to bring news from an exile’s most feared bureaucracy: the U.S. immigration service.

“You received this email because you do not have a Permanent Residence, your Permanent Residence Status needs to be adjusted or you need to renew/replace your Permanent Residence Card,” the email read. Sent from a dhs.gov mailing address, containing links to the relevant forms, and ending with a cheerful sign-off -- “With Best Regards” -- the email had the look of a legitimate piece of correspondence from the U.S. government.

It wasn’t: The email had actually been sent from a hacker likely working on behalf of the Iranian government. The links to the requested forms contained malware designed to spy on its recipients -- a human rights activist and likely others in the Iranian diaspora -- on behalf of Tehran.

The email arrived on the afternoon of March 9, 2016, and it appeared to bring news from an exile’s most feared bureaucracy: the U.S. immigration service.

“You received this email because you do not have a Permanent Residence, your Permanent Residence Status needs to be adjusted or you need to renew/replace your Permanent Residence Card,” the email read. Sent from a dhs.gov mailing address, containing links to the relevant forms, and ending with a cheerful sign-off — “With Best Regards” — the email had the look of a legitimate piece of correspondence from the U.S. government.

It wasn’t: The email had actually been sent from a hacker likely working on behalf of the Iranian government. The links to the requested forms contained malware designed to spy on its recipients — a human rights activist and likely others in the Iranian diaspora — on behalf of Tehran.

The email wasn’t an isolated attack against a potential dissident. Tehran is increasingly turning the tools of computer espionage against both exiles abroad and potential dissidents at home. Western researchers have found evidence that Iranian hackers have targeted the regime’s perceived opponents by hacking into their computers to install spy software, mapped out the millions of Iranian users of the encrypted messaging service Telegram, and targeted journalists for espionage.

While it is unclear exactly how many dissidents’ computers have been infected by the software, when successful the spyware at the very least tracks a user’s every keystroke and sometimes gives hackers the ability to take over a computer and examine its entire contents and communications. Researchers have documented more than 200 intrusion attempts and obtained technical evidence that one strain of malware examined infected 236 victims in 27 countries. These figures all but certainly constitute a small fraction of total Iranian hacking activity.

The findings come from a three-year research project by Amnesty International technologist Claudio Guarnieri and the independent security researcher Collin Anderson. Their research was first presented last week at the Black Hat security conference in Las Vegas, and while they point the finger squarely at Tehran for carrying out these attacks, it is important to note that the evidence for Iranian responsibility remains circumstantial. Attribution in cyberspace remains a tricky business, but Anderson and Guarnieri have collected evidence of tactics, tools, and procedures that constitute about as solid a case for Iranian responsibility as can be made.

Even as Iran continues to implement the terms of a historic nuclear deal, conservative members of its ruling class have sought to maintain a hold on power and prevent a broader rapprochement with Washington. The hardliners are supporting Bashar al-Assad in Syria, propping up proxy militant groups in Lebanon, Yemen, and Iraq, and maintaining their country’s deplorable human rights record. Iran continues to be a global leader in executions, and last week put to death Shahram Amiri, a nuclear scientist suspected of spying on behalf of the United States.

Aggressive surveillance remains a key tool in the regime’s attempt to maintain power, and today, having sophisticated snooping software installed on one’s computer can be as easy as opening the wrong attachment or clicking on a pernicious link. Quietly, software is downloaded in the background and begins communicating with whomever has selected you for surveillance.

Hackers working on behalf of Iran frequently turn to a method known as spear phishing — the use of an email that appears to come from a legitimate account but actually contains a malicious attachment or link — in order to install spyware on their targets’ digital devices.

The March 2016 email that purported to come from U.S. immigration was actually sent from a hacking group dubbed “Sima” by Guarnieri and Anderson for a recurring word in the malware code, and the researchers say that kind of sophisticated impersonation has become a calling card for the group.

In another instance of attempted hacking by Sima, the group sent an email to a human rights activist in which the group impersonated Peter Bouckaert, a top official at Human Rights Watch and a well-known figure within the global activist community. He writes extensively, including for Foreign Policy, and has been the subject of a documentary.

In the email spoofed by Sima, the hackers posing as Bouckaert wrote to alert the recipient about new HRW research showing that Iranian authorities were sending thousands of undocumented Afghans living in Iran to fight in Syria. The link to that research in fact contained software that could be used to spy on the recipient. Hours earlier the recipient, who remains anonymous to prevent retaliation from the Iranian regime, had been tweeting about the very same subject.

Hackers from the Sima group, Anderson said during last week’s presentation in Las Vegas, were “actively monitoring their targets and then responding very quickly to their perceived interests” in order to plant spyware.

But for all their sophistication in crafting emails, hackers from the Sima group were sometimes blundering. One so-called “dropper” used by the group — a program that allows hackers to download other applications onto a computer — generated continuous pop-ups as it attempted to establish itself on the victim’s computer. “User experience for the victim isn’t that great,” Guarnieri said, sardonically.

In another targeted attack by Iran, its hackers broke into the website of the University of Navarra in Spain and then pretended to set up a webinar about human rights issues in the Middle East. The hackers — dubbed “Cleaver” by cybersecurity firm Cylance when that firm wrote about them in 2014 — then emailed invitations to human rights activists. If the activists decided to participate, they were prompted to update Adobe Flash — and in so doing installed surveillance software on their computers.

Other hackers working on behalf of Iran, dubbed “Infy” by cybersecurity firm Palo Alto Networks earlier this year, have targeted journalists working on behalf of the BBC and its Persian-language service. Ahead of the June 2013 election, they sent emails to them purportedly from members of the Iranian opposition, including Mohammad Taghi Karroubi, the son of Mehdi Karroubi, an opposition politician currently under house arrest. They later infiltrated the email of a journalist working for Voice of America and used his email account to send malware to other journalists, according to Anderson and Guarnieri.

For countries such as Iran, malware has become a tool of statecraft. After the United States and Israel targeted Iranian nuclear centrifuges for sabotage with the Stuxnet virus, Iran retaliated by taking out the computers of Saudi Aramco, the oil giant, and hitting American banks online. Iran has turned the same hacking tools against human rights groups and civil society, with devastating consequences. “These organizations are significantly less able to defend themselves,” Anderson said.

But Infy’s activities haven’t been limited to the moderate political opposition, and have also targeted militants waging a low-level war with Iranian authorities. The group also hacked into a website associated with the Jundallah, a Balochi terrorist group operating on Iran’s border with Afghanistan, in order to install spyware on visitors to a blog that carried news about the group.

Even as Iranian hacker groups are going after their targets with precision — human rights activists interested in gender issues were favorites of Sima — Guarnieri and Anderson have also documented how indiscriminate techniques are likely being used to facilitate regime surveillance.

Encrypted messaging services such as WhatsApp, Viber, and Telegram are extraordinarily popular in Iran, both as a means of communication inside the country and with the diaspora. These services, with strong end-to-end encryption and data stored on servers outside the country, present a challenge to Iranian authorities looking to snoop.

Recently, Telegram has become the app du jour, and according to Guarnieri and Anderson’s research, Iranian authorities exploited a bug in the app’s interface and mapped the phone number of nearly every user using the app in Iran. Before Telegram fixed the gap in their systems, Iranian authorities collected more than 15 million numbers. Pulling phone numbers — which Telegram uses to authenticate users — did not breach any communications, Anderson said, but could be used for further targeting of Telegram users in Iran.

ATTA KENARE/AFP/Getty Images

 Twitter: @EliasGroll

More from Foreign Policy

Soldiers of the P18 Gotland Regiment of the Swedish Army camouflage an armoured vehicle during a field exercise near Visby on the Swedish island of Gotland on May 17.
Soldiers of the P18 Gotland Regiment of the Swedish Army camouflage an armoured vehicle during a field exercise near Visby on the Swedish island of Gotland on May 17.

What Are Sweden and Finland Thinking?

European leaders have reassessed Russia’s intentions and are balancing against the threat that Putin poses to the territorial status quo. 

Ukrainian infantry take part in a training exercise with tanks near Dnipropetrovsk oblast, Ukraine, less than 50 miles from the front lines, on May 9.
Ukrainian infantry take part in a training exercise with tanks near Dnipropetrovsk oblast, Ukraine, less than 50 miles from the front lines, on May 9.

The Window To Expel Russia From Ukraine Is Now

Russia is digging in across the southeast.

U.S. President Joe Biden and Secretary of State Antony Blinken participate in a virtual summit with the leaders of Quadrilateral Security Dialogue countries at the White House in Washington on March 12.
U.S. President Joe Biden and Secretary of State Antony Blinken participate in a virtual summit with the leaders of Quadrilateral Security Dialogue countries at the White House in Washington on March 12.

Why China Is Paranoid About the Quad

Beijing has long lived with U.S. alliances in Asia, but a realigned India would change the game.

Members of the National Defence Training Association of Finland attend a training.
Members of the National Defence Training Association of Finland attend a training.

Finns Show Up for Conscription. Russians Dodge It.

Two seemingly similar systems produce very different militaries.