This article is more than 1 year old

Iran blocks Whatsapp, Instagram as citizens protest death of Mahsa Amini

Also: New 'magnet of threats' attackers and FBI has details on Iran's online incursion into Albania

Iran is experiencing a near-total internet service disruption in the west and intermittent interruptions nationwide, with access to Instagram, Whatsapp and some mobile networks being blocked, says Netblocks.

While Twitter and Facebook were banned in Iran years ago, Instagram and WhatsApp remained as one of the few accessible social media platforms in the country. That is, until Wednesday when the two apps were choked.

Signal has also put out a call for help from the tech community asking those who are willing and able to set up a proxy server.

As for the disrupted mobile networks in the country, they include Iran's leading cellular operator, MCI.

According to Netblocks, a watchdog that monitors cybersecurity and Internet governance, the class of internet disruption currently taking place in Iran affects connectivity at the network layer, which means that VPN or software workarounds are generally not possible.

The comms blocks coincide with nationwide protests against the death of Mahsa Amini. Protests erupted after Amini died in police custody after being arrested by Iran's morality police for improperly wearing her hijab.

The police claimed Amini experienced sudden heart failure and died after two days spent in a coma, but eyewitnesses allege and leaked medical records support the thesis that she was beaten and died from related injuries.

Demonstrations that erupted in Amini's home region of Kurdistan spread this week to other provinces. Videos reveal scenes of women dancing and burning their hijabs as well as cutting their hair.

"The network disruptions are likely to severely limit the public’s ability to express political discontent and communicate freely," said Netblocks.

The outfit called the outages the "most severe internet restrictions since the November 2019 massacre, when the government shut down the internet in a near-total blackout for around six days as they attempted to squash protests. At that time, connectivity was gradually and selectively regained."

New group embeds itself amongst Iran and China-linked 'magnet of threats'

In other Iran news this week, cybersecurity researchers from SentinelOne's SentinelLabs said they had uncovered a new online attacker group lurking in a "magnet of threats" that has a relationship with other attack groups linked to China and Iran.

A "magnet of threats" is a target so desirable that multiple hacking efforts cohabitate in the system at the same time.

Among the group was a new player it named "Metador." Metador has been around for at least two years and is well funded, said SentinelOne. It primarily targets telecoms, ISPs and universities in Middle East and Africa.

The attack chains used by Metador are designed to bypass security and deploy malware directly into memory. Researchers have discovered two Windows malware platform variants and indications of a Linux implant.

"The limited number of intrusions and long-term access to targets suggests that the threat actor's primary motive is espionage," said the team. However, SentinelLabs was unable to pinpoint a particular culprit behind the acts.

"While Metador appears primarily focused on enabling collection operations aligned with state interests, we'd point to the possibility of a high-end contractor arrangement not tied to a specific country," said the researchers.

US government agencies warn Iranian hackers accessed Albania's government network for over a year

On Monday, the US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement revealing details of an attack by Iranian state cyber actors on Albania's government network.

In July, the group, which calls itself HomeLand Justice, launched an attack that took out the Albanian government's websites and services.

"A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber-attack, which included a ransomware-style file encryptor and disk wiping malware," the FBI and CISA revealed. "The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content."

The group also used a compromised Microsoft Exchange account to run searches on various mailboxes, the agencies claimed, while using the compromised account to create a new one and add it to the Organization Management role group. It was then able to exfiltrate large amounts of data.

In September, the group launched another similar wave of attacks against the government of Albania, which not only resulted in a severing of diplomatic ties between the two countries, but also sanctions from the US Treasury Department. ®

More about


Send us news

Other stories you might like