Spear Phishing in Tehran

Iranian hackers are increasingly using the tools of cyber-espionage against exiles and dissidents.


The email arrived on the afternoon of March 9, 2016, and it appeared to bring news from an exile’s most feared bureaucracy: the U.S. immigration service.

“You received this email because you do not have a Permanent Residence, your Permanent Residence Status needs to be adjusted or you need to renew/replace your Permanent Residence Card,” the email read. Sent from a mailing address, containing links to the relevant forms, and ending with a cheerful sign-off — “With Best Regards” — the email had the look of a legitimate piece of correspondence from the U.S. government.

It wasn’t: The email had actually been sent from a hacker likely working on behalf of the Iranian government. The links to the requested forms contained malware designed to spy on its recipients — a human rights activist and likely others in the Iranian diaspora — on behalf of Tehran.

The email wasn’t an isolated attack against a potential dissident. Tehran is increasingly turning the tools of computer espionage against both exiles abroad and potential dissidents at home. Western researchers have found evidence that Iranian hackers have targeted the regime’s perceived opponents by hacking into their computers to install spy software, mapped out the millions of Iranian users of the encrypted messaging service Telegram, and targeted journalists for espionage.

While it is unclear exactly how many dissidents’ computers have been infected by the software, when successful the spyware at the very least tracks a user’s every keystroke and sometimes gives hackers the ability to take over a computer and examine its entire contents and communications. Researchers have documented more than 200 intrusion attempts and obtained technical evidence that one strain of malware examined infected 236 victims in 27 countries. These figures all but certainly constitute a small fraction of total Iranian hacking activity.

The findings come from a three-year research project by Amnesty International technologist Claudio Guarnieri and the independent security researcher Collin Anderson. Their research was first presented last week at the Black Hat security conference in Las Vegas, and while they point the finger squarely at Tehran for carrying out these attacks, it is important to note that the evidence for Iranian responsibility remains circumstantial. Attribution in cyberspace remains a tricky business, but Anderson and Guarnieri have collected evidence of tactics, tools, and procedures that constitute about as solid a case for Iranian responsibility as can be made.

Even as Iran continues to implement the terms of a historic nuclear deal, conservative members of its ruling class have sought to maintain a hold on power and prevent a broader rapprochement with Washington. The hardliners are supporting Bashar al-Assad in Syria, propping up proxy militant groups in Lebanon, Yemen, and Iraq, and maintaining their country’s deplorable human rights record. Iran continues to be a global leader in executions, and last week put to death Shahram Amiri, a nuclear scientist suspected of spying on behalf of the United States.

Aggressive surveillance remains a key tool in the regime’s attempt to maintain power, and today, having sophisticated snooping software installed on one’s computer can be as easy as opening the wrong attachment or clicking on a pernicious link. Quietly, software is downloaded in the background and begins communicating with whomever has selected you for surveillance.

Hackers working on behalf of Iran frequently turn to a method known as spear phishing — the use of an email that appears to come from a legitimate account but actually contains a malicious attachment or link — in order to install spyware on their targets’ digital devices.

The March 2016 email that purported to come from U.S. immigration was actually sent from a hacking group dubbed “Sima” by Guarnieri and Anderson for a recurring word in the malware code, and the researchers say that kind of sophisticated impersonation has become a calling card for the group.

In another instance of attempted hacking by Sima, the group sent an email to a human rights activist in which the group impersonated Peter Bouckaert, a top official at Human Rights Watch and a well-known figure within the global activist community. He writes extensively, including for Foreign Policy, and has been the subject of a documentary.

In the email spoofed by Sima, the hackers posing as Bouckaert wrote to alert the recipient about new HRW research showing that Iranian authorities were sending thousands of undocumented Afghans living in Iran to fight in Syria. The link to that research in fact contained software that could be used to spy on the recipient. Hours earlier the recipient, who remains anonymous to prevent retaliation from the Iranian regime, had been tweeting about the very same subject.

Hackers from the Sima group, Anderson said during last week’s presentation in Las Vegas, were “actively monitoring their targets and then responding very quickly to their perceived interests” in order to plant spyware.

But for all their sophistication in crafting emails, hackers from the Sima group were sometimes blundering. One so-called “dropper” used by the group — a program that allows hackers to download other applications onto a computer — generated continuous pop-ups as it attempted to establish itself on the victim’s computer. “User experience for the victim isn’t that great,” Guarnieri said, sardonically.

In another targeted attack by Iran, its hackers broke into the website of the University of Navarra in Spain and then pretended to set up a webinar about human rights issues in the Middle East. The hackers — dubbed “Cleaver” by cybersecurity firm Cylance when that firm wrote about them in 2014 — then emailed invitations to human rights activists. If the activists decided to participate, they were prompted to update Adobe Flash — and in so doing installed surveillance software on their computers.

Other hackers working on behalf of Iran, dubbed “Infy” by cybersecurity firm Palo Alto Networks earlier this year, have targeted journalists working on behalf of the BBC and its Persian-language service. Ahead of the June 2013 election, they sent emails to them purportedly from members of the Iranian opposition, including Mohammad Taghi Karroubi, the son of Mehdi Karroubi, an opposition politician currently under house arrest. They later infiltrated the email of a journalist working for Voice of America and used his email account to send malware to other journalists, according to Anderson and Guarnieri.

For countries such as Iran, malware has become a tool of statecraft. After the United States and Israel targeted Iranian nuclear centrifuges for sabotage with the Stuxnet virus, Iran retaliated by taking out the computers of Saudi Aramco, the oil giant, and hitting American banks online. Iran has turned the same hacking tools against human rights groups and civil society, with devastating consequences. “These organizations are significantly less able to defend themselves,” Anderson said.

But Infy’s activities haven’t been limited to the moderate political opposition, and have also targeted militants waging a low-level war with Iranian authorities. The group also hacked into a website associated with the Jundallah, a Balochi terrorist group operating on Iran’s border with Afghanistan, in order to install spyware on visitors to a blog that carried news about the group.

Even as Iranian hacker groups are going after their targets with precision — human rights activists interested in gender issues were favorites of Sima — Guarnieri and Anderson have also documented how indiscriminate techniques are likely being used to facilitate regime surveillance.

Encrypted messaging services such as WhatsApp, Viber, and Telegram are extraordinarily popular in Iran, both as a means of communication inside the country and with the diaspora. These services, with strong end-to-end encryption and data stored on servers outside the country, present a challenge to Iranian authorities looking to snoop.

Recently, Telegram has become the app du jour, and according to Guarnieri and Anderson’s research, Iranian authorities exploited a bug in the app’s interface and mapped the phone number of nearly every user using the app in Iran. Before Telegram fixed the gap in their systems, Iranian authorities collected more than 15 million numbers. Pulling phone numbers — which Telegram uses to authenticate users — did not breach any communications, Anderson said, but could be used for further targeting of Telegram users in Iran.


Elias Groll is a staff writer at Foreign Policy. Twitter: @EliasGroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola