CHRI – The Center for Human Rights in Iran (CHRI) has learned that during the first two weeks of April 2018, hackers attempted to take over the email and social media accounts of several well-known Iranians and dual nationals working for charitable and academic organizations.
Several targeted individuals, including some located in California, DC, and Tehran, confirmed to CHRI that they had experienced phishing attacks.
Phishing is a type of attack that tricks users into providing their personal online account passwords to hackers.
While the hackers’ took measures to conceal their identities, the fact that all their targets had direct or indirect ties with dual nationals currently imprisoned in Iran strongly suggests the hackers were affiliated with Iran’s security establishment.
Iranian media outlets affiliated with security agencies in Iran including the Islamic Revolutionary Guard Corps’ (IRGC’s) Intelligence Organization have revealed some of the names of the targeted individuals. As is custom for these outlets, they have also published unsubstantiated accusations and smear pieces about the victims.
One of the targets, a university-based academic, told CHRI: “In recent weeks, I have received dozens of phishing emails that mostly appear to be sent by my friends, colleagues at work, or similar individuals. But when you look at the emails, you notice that they did not originate from them [my contacts].”
“What is interesting is the kind of people who supposedly sent the phishing emails because it shows the attackers know my friends and associates, which increases the chance of successfully hacking into my account,” added the source who requested anonymity for security reasons.
“Of course, a little knowledge about internet security will reduce the chance of being hacked, but one cannot ignore this latest calculated scheme,” added the academic.
Accounts belonging to academics and social and civil rights activists based inside Iran have also been targeted.
On April 26, the official twitter account of the Imam Ali’s Popular Students Relief Society (IAPSRS), a well-known charity in Iran, tweeted, “Following today’s cyber attack on the phones and email accounts of several members of the Imam Ali Society, the society’s Telegram channel was also hacked. Therefore, this society will not be responsible for any suspicious activities or content and will apologize in advance to its honorable audience.”
Hours later it added: “Between 6 and 7:30 a.m. there were repeated attempts to hack the accounts of our members in the form of several text messages sent to the personal phones of these individuals asking them to confirm the verification code to access Telegram. The hacker was immediately able to steal or view the replies and gain access to the members’ personal accounts. In all cases, the location of the emails appeared to be in Quebec, Canada, but the time they arrived was consistent with Iran’s time zone. The next step taken by the hacker was to change the two-step password…”
Another tweet by the IAPSRS said, “In addition, the Gmail accounts of some of the members were hacked in the same manner, meaning that during the same period, the hacker was able to get into Gmail accounts and change passwords by texting messages to the individuals to confirm their passwords.”
The hacking method used in this case would have required the hackers to have access to the state-owned Telecommunications Infrastructure Company (TIC).
Hackers with access to Iran’s telecommunications infrastructure are able to intercept two-step verification codes (used to confirm a users’ access to their account) leaving those who do so in Iran extremely vulnerable to hacking attempts.
On this issue, the IAPSRS tweeted, “One of the hacked SIM cards was in a phone that was turned off. Therefore, the only way to intercept text messages was mid-way [through the TIC]…. It is clear that the person who carried out this ugly, deplorable action in whatever fashion had the ability to access the country’s texting infrastructure.”
Asked about the hacking attempts, Amin Sabeti, an internet and digital security expert in London told CHRI: “I seriously believe that Iranian hackers, who must be close to the IRGC, have started a new campaign against Iranian and non-Iranian individuals around the world.”
“What I am seeing now is the same unique methods they have used since March 2017 in the form of various individuals receiving phishing emails and their accounts being hacked,” he said. “In the latest, blatant example, the Telegram and Gmail accounts of IAPSRS members have been hacked by stealing their text messages”
“It is not possible to steal text messages without having access to the communications infrastructure and in IAPSRS’s case, it shows the hackers have close ties with the state, particularly the IRGC, which is one of the ITC’s main shareholders,” added Sabety.
CHRI has published several reports on hacking attacks against journalists, rights activists and social workers in Iran.
In November 2017, a CHRI investigation showed that malware targeting Mac computer users was sent in a ZIP file claiming to include an “article about women’s rights” to several Iranian journalists based abroad. Upon being opened, the file released the malware onto the victim’s computer.
Malware is a computer program that runs spyware with the aim of collecting information or eavesdropping on the victim after it is installed on a computer or mobile phone. Malware attacks are heavily used in Iran to monitor, take control of, or block accounts.
CHRI has learned that dozens of political and civil rights activists inside Iran have also been targeted with similar hacking methods aimed at accessing the victims’ personal online information and communications.