Iran Cyber Attacks – Iran Lobby

Iranian Hackers Targeting American Officials and Dissidents

In another sign of the growing extremism and aggressiveness of the Iranian regime, the Associated Press revealed an unprecedented effort by Iranian regime hackers to break into the personal emails of American officials responsible for enforcing new economic sanctions imposed on Iran.

In addition to the cyber attacks on U.S. officials, the Iranian regime hackers also targeted high profile dissidents and detractors of the Iran nuclear deal, as well as a hodgepodge of D.C., think tank employees, Iranian civil society figures and atomic scientists.

The AP drew on data gathered by the London-based cybersecurity group Certfa to track how a hacking group often nicknamed Charming Kitten spent the past month trying to break into the private emails of more than a dozen U.S. Treasury officials.

The reported campaign underscores the degree to which government-sponsored hackers still rely on tricking email users into handing over their email usernames and passwords. The alleged phishing campaign aimed to bait targets into handing over their credentials and then went further, asking victims to provide one-time codes, such as texted and app-generated codes, used as a second form of authentication.

The hit list surfaced after Charming Kitten mistakenly left one of its servers open to the internet last month. Researchers at Certfa found the server and extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers that they handed to the AP for further analysis.

It’s hard to know how many of the accounts were successfully compromised or how exactly they were targeted in each case. But even though the addresses likely represent only a fraction of the hackers’ overall efforts, they still provide considerable insight into Tehran’s espionage priorities.

“Presumably, some of this is about figuring out what is going on with sanctions,” said Frederick Kagan, a scholar at the American Enterprise Institute who has written about Iranian cyberespionage and was among those targeted.

Kagan said he was alarmed by the targeting of foreign nuclear experts. “This is a little more worrisome than I would have expected,” he said.

The targeting of the email accounts of nuclear scientists raises the dark specter that the regime is going after data and critical research information that could prove useful in its ongoing nuclear weapons development.

The actions also fly in the face of one of the key arguments made by the Iran lobby during the run-up of the nuclear deal which was that the Iranian regime was only interested in civilian and peaceful nuclear development and had no interest in developing weapons of mass destruction.

In a report published Thursday, Certfa tied the hackers to the Iranian government, a judgment drawn in part on operational blunders, including a couple of cases where the hackers appeared to have accidentally revealed that they were operating from computers inside Iran.

Certfa said its investigation found the hackers used Virtual Private Networks, or VPNs, to make it look like they were operating from France and the Netherlands. But the group said it uncovered strong evidence to prove that the hackers were operating from inside Iran.

The assessment was backed by others who have tracked Charming Kitten. Allison Wikoff, a researcher with Atlanta-based SecureWorks, recognized some of the digital infrastructures in Certfa’s report and said the hackers’ past operations left little doubt they were government-backed.

“It’s fairly clear-cut,” she said.

One target was Frederick Kagan, who works for the American Enterprise Institute, a think tank based in Washington. Kagan has repeatedly written about Iranian cyberespionage efforts.

“Presumably, some of this is about figuring out what is going on with sanctions,” Kagan told the AP. He was speaking about economic sanctions the U.S. has placed on Iran. The latest sanctions, on Iran’s oil and financial industry, were announced last month.

Iranian regime cyber attacks are nothing new and have become relentless and a fact of life among white hat programmers tasked with defending government and corporate networks against intrusion, but this latest effort to gain access to personal email accounts with much lower levels of security presents a different tack in the regime’s cyber tactics.

To add a look of legitimacy to their campaign, the hackers in some cases directed victims to open websites hosted on Google Sites pages before entering their usernames and passwords, Certfa said. The researchers said they notified Google of the pattern, and Google deactivated the hackers’ pages hosted on the company’s service. Google didn’t immediately respond to a request for comment.

The effort to target avowed dissidents and naysayers of the Iran nuclear deal indicates another disturbing trend by the mullahs in Tehran which is to go after those who dare denounce or criticize them.

This past year, Iranian intelligence agents have been identified in attempts to smuggle a bomb into an annual gathering of Iranian dissidents outside of Paris and plot an assassination attempt in Denmark against noted critics of the regime.

What is also noteworthy is the virtual silence emanating from the Iran lobby and its chief members, including the National Iranian American Council who have never voiced a criticism of the Iranian regime’s cyber terror activities, nor ever called upon the regime to lift the virtual blockade it has imposed on outside social media services within Iran.

The tight-fisted ban on transmitting information reveals the key weakness of the mullahs’ rule which is it cannot stand up to the scrutiny of daylight and transparency.

This is why the regime relies so heavily on cyber attacks to stifle dissent, gain intelligence and secrets and wage an online war against its harshest critics, such as the efforts by the regime to manipulate fake social media accounts to attack dissident groups such as the National Council of Resistance of Iran.

Ultimately the regime’s efforts are likely to prove ineffective as its stealth efforts are uncovered and revealed to the world; reinforcing the growing perception that Tehran was never really serious about pursuing a new moderation with the rest of the world.

Michael Tomlinson

Social media giant Twitter released detailed data files related to efforts by foreign countries to meddle in U.S. elections, including actions by taken by Twitter against more than 4,500 accounts linked to state-backed operators; 3,841 accounts were linked to Russia’s Internet Research Agency and another 770 accounts linked to the Iranian regime.

Twitter had previously disclosed the false-front efforts, but this data release included the actual tweets sent out by the bogus accounts; the data dump totaled more than 360 gigabytes of information including more than 10 million tweets with more than two million images, GIFs, videos and livestream broadcasts.

Twitter also released information on each profile including the number of followers it had, who they followed in turn, the geolocation of those tweets and more. The earliest activity noted by Twitter stretched back to 2009 which indicates how committed the trolling operation was in hijacking dormant accounts and spreading disinformation.

Twitter noted that the “information operations and coordinated inauthentic behavior will not cease. These types of tactics have been around for far longer than Twitter has existed — they will adapt and change as the geopolitical terrain evolves worldwide and as new technologies emerge.”

According to Ben Nimmo, a data analyst for at the Atlantic Council’s Digital Forensic Research Lab, the Iranian tweet effort consisted of about a million tweets from 770 accounts that mainly attempted to get Twitter users to go to websites that hosted pro-Iran, anti-Israel or anti-U.S. content.

The Iranian effort to steer users to websites populated with pro-Iran content is typical of recent Iranian cyber-operations to support initiatives such as passage of the Iran nuclear deal and opposition to the U.S. pull out from the same deal and imposition of economic sanctions.

The top three geopolitical phrases mentioned by the Iranian trolls included Saudi, Iran, and Trump. One-third of the posts from the Iranian troll farm led users to AWDNEWS.com, which calls itself an independent news agency, yet Nimmo refers to it as “part of the Iranian messaging laundromat.”

AWD News is a part of a cluster of sites exposed by FireEye in August to be Iranian government sponsored outlets

The cyber efforts closely mirrored those of the Iran lobby in building the larger “echo chamber” of opinion from bloggers such as Lobelog.com and academics such as Seyed Hossein Mousavian, advocacy groups such the National Iranian American Council and false-front websites such as Iran-interlink.org.

Many of the Iranian trolls either posed as news sites or masqueraded as journalists. One account with 1,450 followers, MariaLuis91, which claimed to be a French journalist, posted the same article to hundreds of different people each day throughout 2014, Nimmo said.

“They were just spam sharers, but that’s not the kind of behavior which is going to engage lots of people. They are just going to think who are you and why are you sending me this, and I will probably block you,” he added.

It is unclear if all of Iran’s operation has been shut down by Twitter, but Nimmo says there are “indications that the websites that have been identified so far are not the full set.”

All of which goes on to demonstrate that the Iranian social media campaigns are likely far from dead and in fact are only in the beginning stages as the regime gains a better understanding and sophistication of how to conduct such campaigns more effectively.

While this initial effort was termed “clumsy” by Nimmo and other analysts, the truth is that Tehran may only view this effort as experimental and as FireEye and other cybersecurity firms publish findings, future Iranian efforts will most likely take into account their missteps and try better tactics in trying to influence American journalists and voters.

The U.S. wasn’t the only target of Iranian social media campaigns as Bahrain revealed that it has discovered social media accounts managed in Iran by political groups operating outside of Bahrain were issuing death threats aimed at electoral candidates in the country.

The director-general of the Anti-corruption and Economic and Electronic Security department said they had monitored and followed up the complaints by some candidates who claimed to have received threats on social media asking them to withdraw their candidacy.

He said that an investigation showed that those social media accounts were managed in Iran and were aimed at “disrupting the election process”, the official Bahrain News Agency reported.

The ongoing Iranian efforts have caused continued concern in the U.S. as intelligence officials issued a joint statement from the Office of the Director of National Intelligence, the Homeland Security Department, the Justice Department and the FBI who say they’re worried about activities that “seek to influence voter perceptions and decision-making” in the 2018 and 2020 elections.

The agencies say the “ongoing campaigns” could take many forms. Examples include attempts to influence voters through social media, sponsoring content in English language media such as the Russian outlet RT, or “seeding disinformation through sympathetic spokespersons regarding political candidates and disseminating foreign propaganda.”

Intelligence officials said they were concerned about “ongoing campaigns” by Russia, China, Iran and other countries to undermine confidence in American democracy.

The U.S. needs to continue its focus on Iran, but not only on Iranian efforts to influence U.S. policy, but also the regime’s efforts to discredit dissidents and political opponents who are growing in number and bolder with protests flaring up throughout Iran.