Hackers, bloggers 'bunged cash to spin for Iran 2.0'

Put in a good tweet for us, says Revolutionary Guard


CyCon 2012 The Iranian government is investing heavily in hacking expertise and online propaganda in order to promote its way of life under the country's post-Islamic Revolution regime - as well as using its new resources to tighten up control and surveillance of its citizens.

This is according to Jeff Bardin, chief intelligence officer at Treadstone 71, a US-based intelligence analysis firm. He told delegates to the International Conference on Cyber Conflict (CyCon) in Tallinn, Estonia that intelligence divisions within the Iranian military are working together with former members of hacking groups to fight "Western cultural influences" and online dissidents as well as promoting Iranian foreign policy objectives.

Key groups in the move include the Islamic Revolutionary Guard Corps (IRGC), the paramilitary Basij militia and the hacker group Ashiyane, according to Bardin. Ashiyane, which maintains an active forum, denies any affiliation with the IRGC or the Iranian government. But Bardin claimed that, contrary to its denials, Ashiyane actually offers training courses in IT security to Iranian government organisations as a preferred supplier.

Bardin said he believes the core members of Ashiyane were drawn from a hacker group that cut its teeth defacing Western websites and running more elaborate hacks as the so-called Iranian Cyber Army.

The Iranian Cyber Army used a DNS attack to hijack Twitter in 2010 before using much the same techniques to redirect surfers towards a defaced version of the home page of Chinese search engine Baidu weeks later.

Ashiyane appears to have expertise in running DDoS attacks to knock websites offline, web page defacement, infiltration and credit card theft, says Bardin.

The IRGC is an overarching organisation whose role in Iranian society has expanded behind its origins as a type of national guard to become a huge business empire and lynchpin of President Mahmoud Ahmadinejad's administration.

Shortly after playing a key role in suppressing dissent following the disputed presidential election of June 2009, the IRGC, by way of a company it is tied to, acquired a majority $8bn stake in the Iran Telecommunications Company. By controlling the telecoms infrastructure, the IRGC can now apply even heavier censorship controls on Iranian web access.

The Revolutionary Guard was established in 1979 to suppress counter-revolutionary forces but it has become is similar to what it was created to eliminate: the Shah's Imperial Guards. Bardin described the organisation as employing a "communist-style model" featuring regular "purges" and constant-jockeying for position and favour, a process often affected by external events.

"The IRGC didn't foresee the power of social networking" in the run-up to the 2009 Iranian presidential elections but is now pushing heavily to promote a Web 2.0 version of its brand of Islam.

Bardin said that the IRGC is paying online activists and bloggers to promote the Islamic Republic in forums, Facebook pages and elsewhere online, an assessment shared by Israeli intelligence analysts - but they reckon reckon cyber workers are paid $4.30 (£2.70) an hour, which is higher than the average wage.

Iran is seeking to promote its version of Islamic Revolution to the Shia populations of neighbouring Gulf states, such as Bahrain, as well as influencing political groups in Syria, Lebanon and Palestine – including Hezbolah and Hamas.

IRGC is very capable and the West shouldn't "underestimate its adversary," Bardin concluded.

Other IRGC operations may have included planting a back door in a Trojanised version of the Simurgh privacy tool to spy on Iranian surfers and the infamous Diginotar and Comodo digital certificate hacks, Barbin suggested.

Bardin's well-attended talk limited itself to Iran's information warfare and propaganda capabilities and deliberately skirted any reference to the infamous Stuxnet worm or the recently uncovered Flame worm, aside from a brief reference to Iran's development of a home-grown anti-virus capability. Bardin said he didn't want to discuss (presumed) US or Western capabilities in cyber-espionage. ®

Similar topics

Broader topics


Other stories you might like

  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Iran, China-linked gangs join Putin's disinformation war online
    They're using the invasion 'to take aim at the usual adversaries,' Mandiant told The Reg

    Pro-Beijing and Iran miscreants are using the war in Ukraine to spread disinformation that supports these countries' political interests — namely, advancing anti-Western narratives – according to threat-intel experts at Mandiant.

    Additionally, Iranian cyber-campaigns are using Russia's invasion of its neighbor to take aim at Saudi Arabia and Israel, the researchers found.

    In a new report published today, Mandiant's Alden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor and Ryan Serabian analyze several information operations that the team has observed in its response to the conflict in Ukraine. It also attributes these campaigns to actors that the threat researchers say are operating in support of nation-states including Russia, Belarus, China and Iran.

    Continue reading
  • Iran-linked Cobalt Mirage extracts money, info from US orgs – report
    Khamenei, can you just not? Not right now, fam

    The Iran-linked Cobalt Mirage crew is running attacks against America for both financial gain and for cyber-espionage purposes, according to Secureworks' threat intelligence team.

    The cybercriminal gang has been around since June 2020, and its most recent activities have been put into two categories. One, using ransomware to extort money, as illustrated by a strike in January against a US philanthropic organization, according to Secureworks' Counter Threat Unit (CTU); and two, gathering intelligence, with a local government network in the United States targeted in March, CTU researchers detailed Thursday.

    "The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," they wrote. "While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited. At a minimum, Cobalt Mirage's ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat."

    Continue reading
  • Who is exploiting VMware right now? Probably Iran's Rocket Kitten, to name one
    We hope you've patched that 9.8/10 severity bug

    A team of Iranian cyber-spies dubbed Rocket Kitten, for one, is likely behind attempts to exploit a critical remote-code execution vulnerability in VMware's identity management software, according to endpoint security firm Morphisec.

    Earlier this month, VMware disclosed and fixed the security flaw, tracked as CVE-2022-22954, in its Workspace ONE Access and Identity Manager software. In terms of CVSS severity, the bug was rated 9.8 out of 10. We note the virtualization giant revised its advisory on the matter on April 13 to say miscreants had exploited the vulnerability in the wild.

    The bug involves server-side template injection, and can be abused by anyone with network access. Exploitation essentially clears the way for intruders to deploy ransomware, steal data, and perform any other dirty deeds.

    Continue reading
  • Russia, Iran, Saudi Arabia are top sources of online misinformation
    Think tank fears future studies of this sort may be harder as social networks withdraw data

    Russia, Iran and Saudi Arabia are the top three proliferators of state-linked Twitter misinformation campaigns, according to a report released Wednesday by the Australian Strategic Policy Institute (ASPI).

    The think tank's International Cyber Policy Centre report and corresponding website examined datasets in Twitter's Information Operations Archive to understand state willingness, capability and intent to drive disinformation campaigns.

    While Russia, Iran and Saudi Arabia scored first, second and third, respectively, in terms of number of campaigns out of the 17 countries examined, China and Venezuela filled the next two places on the list.

    Continue reading

Biting the hand that feeds IT © 1998–2022