Iran linked to al-Qaeda's web jihadi crew by old-school phone line

Updated New information has since come to light following the publication of this article, revealing the real identity of the leased line owner.

An organisation that attempts to recruit Westerners to carry out terrorist attacks on their home soil was backed by the Iranian state, according to an unlikely source of information: leased telephone line records.

Security researcher Michael Kemp found a list of the Middle East nation's leased lines that use the packet switching protocol X.25, and claims that it included a line allocated to Ansar Al-Mujahideen - a popular hangout for Islamic militants.

"In the course of doing some research on X.25 - the network that existed before there was the internet - I stumbled across a document detailing all the X.25 network user addresses for the country of Iran," Kemp told El Reg.

"In Iran all connections have to be approved by an organisation called DCI: the Data Communications Company of Iran.

"I found a network user address that appears, if the document is genuine, to pertain to Ansar Al-Mujahideen. Ansar Al-Mujahideen are lovely people who are very much supportive of Jihad as a concept, and have been linked to al-Qaeda. And they have a state-licensed leased line in Iran," the co-founder of UK-based Xiphos Research added.

Checking the validity of the paperwork by attempting to access the leased line would violate the UK's strict anti-hacking laws - specifically the Computer Misuse Act. Kemp said he was unable to rule out the possibility that the list was planted as some sort of disinformation campaign, but argues that the circumstances make this unlikely.

"It's not an 'internal' document but a result of some X.25 walking a student was doing a while ago - about four years ago - but X.25 data network identification codes (DNICs) and their network user addresses (NUAs) are pretty much fixed so that really doesn't matter," Kemp said. "There is nothing to prove the doc is legit, but if it is someone pissing around, they have spent a lot of time making the file appear genuine, and it should probably be treated accordingly."

The spreadsheet, compressed and scrambled using a passcode, is in Arabic and Farsi, and features about 2,800 records. The surprising entries are at lines 92 and 93 of the document:

X25 scene Khorasan Razavi 51,133,113 Ansar al-Mujahideen scene

Kemp called on a Farsi-speaking friend in Syria, as well as Google Translate, to make sense of the document. "Khorasan Razavi" refers to a province in north-east Iran, close to the Afghan border.

"It doesn't necessarily mean that Ansar Al-Mujahideen are using the line," Kemp said. "The reason why I suspect that they are, rather than a techie twatting about, is that all leased lines in Iran have to be approved by the Iranian government in conjunction with the Telecommunication Company of Iran (TCI), which runs the Iranian x.25 backbone. And I suspect a creative techie may get into a bit of bother with that naming convention - it's a bit more contentious than calling your file server Frodo.

"To the best of my knowledge, X.25 is still really widespread in Iran as unlike TCP/IP it's a shedload easier to control. Additionally according to numerous sources most of the network backbone is X.25, and the Iranians have yet to jump on TCP proper. This may have to do with state control than anything technical."

Kemp explained how he came across the document, which was put together by a security consultant of Arab extraction living in Sweden.

"I fell across the doc while researching X.25 connectivity," he said. "I did a talk on legacy tech at Grrcon and as X.25 is a lovely old and grizzled protocol, so I thought I'd cover that for the TCP/IP generation.

"X.25 is still used as a backbone for ATMs, and SMS bulk services, but Iran is a bit of a weird one from what I know. They never really made the jump to TCP proper and I think much of the ISP space over there is X.25 via XOT or similar. As to why Ansar would have a leased line, if it is them, my supposition would be that it's used to access the internet. Although that said, there could be bloody anything on there, and I have no great desire to breach the Computer Misuse Act and find out."

This legal restriction wouldn't hold back intelligence agencies, of course, and finding out the kind of traffic the line carried would not be particularly difficult.

"There're no passwords but X.25 doesn't work like that," Kemp explained. "Basically if you have a country's DNIC (as mandated by the lovely people at ITU) and the NUA, and access to a X.25 leased line or X.28 pad, you can dial up the number."

Iran and web jihadis - unlikely bedfellows?

Ansar Al-Mujahideen - which maintains a Hungarian-hosted website at ansar1.info - is a forum for jihad-related propaganda and recruitment. The group has posted links to videos showing "Islamic fighters in France" and its site features the pictures of prominent members of al-Qaeda, including its post-Osama leader Ayman al-Zawahiri.

A curious twist to this story is that al-Qaeda, which Ansar Al-Mujahideen is so closely linked to, is a radical Sunni Muslim movement - whereas Iran is overwhelmingly a Shi'ite nation. These two denominations of Islam are so strongly split on their beliefs that it has led to conflict and strife across the Middle East for centuries.

Ansar Al-Mujahideen is apparently trying to radicalise Westerners and persuade them to mount attacks at home as well as recruit them for action in Kashmir. An academic paper on the group and other e-jihadists can be found here.

If the evidence from the leased-line file is to be believed then Ansar Al-Mujahideen has some sort of base in Iran - there's no other good reason to have a government-allocated leased line.

Kemp, an expert in computer security rather than global politics or terrorism, is unsure what this might mean: "Why would they have an office in Iran, who knows? My speculation would be that it's a 'friendly' state thing, in as much as they probably get less hassle there than elsewhere. Direct Iranian involvement in terrorism, which is unequivocally technically provable, may be interesting."

The researcher is putting together a talk for the Deepsec conference in Vienna, Austria next month about the supposed threats posed by computer-armed terrorists. ®