Pulling the Strings of the Net: Iran's Cyber Army

by FARVARTISH REZVANIYEH, Tehran Bureau, 26 FEB 2010.
[ overview ] During the past few months, the activities of Iran's Cyber Army have attracted growing notice in the Iranian and international media. The suspicion that the Cyber Army's constituent hacker groups are connected to the Iranian government was strengthened when, after several sites were hacked, they issued warnings to the Green Movement. 

The scope of the measures taken by the Cyber Army discredits the theory that a group of Ahmandinejad's admirers spontaneously carried out such acts. The nature of their communications and of the sites targeted for attack indicate that there are hidden hands that support the Cyber Army.

A review of the political messages published by the Cyber Army in recent months and official statements in its defense made by a government administrator of Iran's aviation industry prompt a closer examination of the group, which previous reports have claimed is composed of Russian hackers based outside of Iran. What, in fact, is the Iranian Cyber Army and where is it actually based? Before answering these questions, a summary look at recent incidents involving the group is in order.

Attack on Twitter

On the morning of Friday, 28 Azar 1388 (December 19, 2009), connections with the Twitter website were severed in some parts of the world, and those who tried to access it were transferred to a message in English that read:

U.S.A. Think They Controlling and Managing Internet By Their Access,

But They Don't, We Control And Manage Internet By Our Power, So Do Not

Try To Stimulation Iranian Peoples To....

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care.

Attack on Baidu

On the morning of Tuesday, 22 Dey 1388 (January 12, 2010), Baidu, the largest Chinese search engine, was hacked. A message posted on it read, "The Iranian Cyber Army has been launched in protest against intervention by foreign and Zionist sites in our country's domestic affairs and the spreading of lying and divisive news." A cyberwar between Iran and China quickly erupted. Internet bases of the Iranian government, including the official websites of the president and Supreme Leader, were disrupted by hackers referring to themselves as the Honker Union for China.

Attacks on Iranian Sites

On 10 Bahman (January 30), the Iranian Cyber Army hacked the website of Radio Zamaneh. The site's front page was changed to a picture of the Islamic Republic of Iran's flag accompanied by the slogans "Ya Hosein (aleihum salam)" and "Persian Gulf" and the following text:

If the Leader commands, we attack

If he asks, we sacrifice ourselves

If he wants us to be patient and steadfast

We will sit down and take it in stride.

On 23 Bahman (February 12), those who tried to access the site of Jaras News, which publishes reports on the Green Movement, discovered this message from the Iranian Cyber Army on its front page: "Out of respect for the referendum which was held on 22 Bahman and the people who voted and out of respect for the great nation and country named Iran ... do not be a tool of those who live safe and sound in America and are using you as a tool."

A Prank on the Iranian Cyber Army

On 16 Bahman (February 5), the website Khodnevis, administered by Nikahang Kowsar, published the following in its satirical column "False News":

In an amazing and unprecedented step, the Iranian Cyber Army hacked

the Mehrabad Airport portal so that those who try to access the site,

namely airport workers, are directed to the Raja Rail Company when

they type in its URL. It is said that the attack occurred in the early

hours of the night and continued into Saturday, confronting the airport

with a serious crisis. The sudden occurrence of dozens of air

accidents in the skies over Tehran as a result of the tower's air

traffic control communications systems' failure was considered the

most dangerous consequence of the attack, threatening the

capital of Iran. Although experts believe that the attack was committed by

mistake and the technical difficulties were fixed an hour later, the

Iranian Cyber Army, after hacking the Mehrabad portal, placed a flag

of the Islamic Republic of Iran with a blue stripe [instead of the

green that properly runs across the top of the tricolored flag], along

with a message reading, "The Iranian Cyber Army warns all mercenaries

who would sell out their country that they will not be safe even in

the skies."

This satire, based in part on the real message left by the Cyber Army when it hacked Radio Zamaneh, was soon picked up by various Iranian news sites. Within a few hours later, rumors had spread that the Iranian Cyber Army had mistakenly attacked a government website, for which the group was widely ridiculed. Although the report was soon eliminated from the various sites that had first taken it from Khodnevis, the rumor continued to spread, to the point that several large companies immediately contracted with Internet security groups to strengthen their website firewalls.

The Reaction of a Government Administrator

Two days later, on 18 Bahman (February 7), Morteza Dehqan, acting manager of Tehran's Mehrabad Airport, addressed a group of journalists concerning the rumor. In the process of denying that an attack had been made on the airport's site, he called the reports "news blackmail," saying:

When foreign agents failed to achieve their filthy ends after the

elections, they tried to concoct a conspiracy based on an attack on

Tehran's international airport in order to disrupt the country's

security atmosphere. No such attack occurred on the airport's

website's portal and this news is a pure lie from start to finish. It

is clear that the counter-revolutionary media has discovered the

Iranian Cyber Army's power and, out of fear of its power, wishes to

launch accusations through which it can divert public opinion.

Nikahang Kowsar, who had already explained on Khodnevis the satirical origin of the rumor, reflected on Dehqan's pronouncement: "When Mehrabad Airport's acting administrator denied the report about the attack on that airport's website, he defended the Cyber Army's record, and we realized that our fake news had done its job. An official officer of the Islamic Republic defended the Cyber Army in such a way that it seems that this group is led by the [ruling] system."

The Formation of the Iranian Cyber Army

During the past eight years, many groups of hackers have formed in Iran, the best known of which include Ashiyaneh, Shabgard, and Simorgh. These groups, seeking notoriety and in competition with each other, have attacked various websites with near-complete impunity.

As reports of infiltration into government websites increased, the intelligence agencies became interested in the power of hacking tools and initiated a concerted effort to identify and control those employing them. The cooperation of identified hackers was sought in order to pinpoint and counteract their rivals. Hackers were eventually enlisted to teach their techniques to military technicians.

The Ashiyaneh collective was one of the first to join the circle of government-affiliated hackers. The group, including some of the country's most skilled hackers, set about wrecking the sites of the Islamic Republic's opponents. Reports of its activities were published in government media, such as Voice and Vision, Kayhan, and IRNA.

Alongside the hacker group's activities, nominally private companies have been established whose primary duty is to recruit infiltrating forces, train military personnel in cyber attacks, and import technology for the operation from Dubai. Among the managers of these companies is the son of a senior security officer. Running a company established through the military budget, he has been busy recruiting expert Iranian infiltrators and has begun to accept cyberwar projects.

How Group Members Are Chosen

The plan for the formation of an Iranian Cyber Army was raised in the Revolutionary Guards in 1384 (2005). As opposition to the government spread, the process of its realization was accelerated. The Cyber Army has a human resources unit in charge of recruitment. When a professional hacker is identified, the unit contacts him and threatens him with imprisonment if he does not cooperate. Individual relationships and the flow of information are so tightly controlled that many participants are not even aware that they have been recruited as government collaborators and members of the Cyber Army. 

The talent level of the Cyber Army is very high, and its record indicates a technical capacity comparable to similar groups operated by the American and Israeli intelligence agencies. Indeed, the Cyber Army is overseen by many of the same people who run the Revolutionary Guards' official cyberwar defense operation, the Center for Struggle with Organized Cyber Crime.

In Ordibehesht 1388 (May 2009), the Fars news service reported that the American military and security foundation Defense Tech had declared Iran's cyber forces among the five most powerful in the world, based on figures received from the CIA. Defense Tech estimated the Iranian Cyber Army's budget at 76 million dollars, and confirmed that it is run by a group from the Revolutionary Guards' cyber supervision team.

A Short Time to Execute Instructions

Iran's Cyber Army has so far not breached the servers of the websites it has targeted, but has contented itself with simply stealing access to their domains. This method indicates the temporal limitations under which the group operates. In the past few months, they have carried out orders using methods that can be executed swiftly. In the attack on Twitter, they hacked the computer of one of the company's officers with a Trojan horse and were able, by utilizing his email, to reset the domain of his control panel. The method was similar to that used in an attack five years earlier on a NASA website by an Iranian hacker group. In attacking Jaras and other Iranian sites, the Cyber Army has employed the DNS cache spoofing technique to divert traffic from the intended domain.

Photo: Not to be mistaken for the Greens, "Iran's Cyber Army" touts a Gmail address and flies a green flag for Shia's arch-martyr Imam Hussein.

Credits: Tehran Bureau: Pulling the strings on the Net: Iran's Cyber Army

Considering means to support the Iranian pro-democracy movement: Technology in Green

Technology in Green

How Removing Sanctions Can Encourage Iranian Democracy

By N. Kashani and M. Sadra, Foreign Affairs, February 26, 2010

Summary: 

The U.S. government is relaxing its limits on the export of Internet technology to Iran. Unless Washington takes further action, though, Tehran's filters might still stop Iranians from accessing critical digital tools.

N. KASHANI and M. SADRA are the pseudonyms of U.S.-based attorneys who are specialists in U.S. export laws regarding Iran.

Last December, the State Department recommended that the U.S. government adjust its sanctions on the export of Internet technology to Iran. This was a major step toward addressing an embarrassing incongruity in U.S. foreign policy. Previously, despite the United States’ espousal of democratic ideals, Congress and multiple administrations had made it illegal for U.S. companies, citizens, or lawful permanent residents to provide Iranian citizens with certain Internet tools, including personal communications programs and anti-filtering software. As the ongoing fallout from Iran’s disputed presidential election last June has shown, such tools are critical in fighting the Iranian regime’s unprecedented campaign of suppressing information and combating political opposition by censoring media, sporadically blocking or slowing the Internet, and intimidating journalists and photographers. The recent shift in U.S. policy, then, is overdue and welcome.

But for this shift to be truly effective, Washington must take further action. This is because, although filter-busting technology exists in Iran, it is hard to come by and often unreliable. Thus some technologies no longer blocked by U.S. sanctions may still remain practically unavailable to Iranians because of Tehran’s filters. Removing sanctions on instant messaging and social-networking software is not enough: to have a concrete effect, the United States must also remove the legal impediments that prevent anti-filtration software from being lawfully exported to Iran.

Iran’s Green Movement, a loosely defined opposition to the ruling establishment, regularly ignores government prohibitions on dissent and uses various outlets to protest governmental corruption, authoritarianism, and opacity. Offline examples include scrawling anti-regime slogans and sarcastic retorts on paper currency and shouting haunting chants of “God is great” from balconies at night. Online, opposition supporters organize rallies through chat rooms and social-networking sites, disseminate videos through YouTube and various other video-sharing sites, and create simple Web sites for posting firsthand accounts of anti-government activism.

Such a reliance on technology should come as no surprise, since Iran has one of the most educated populations in the Middle East. Over 80 percent of Iranians are literate, and more than 25 percent use the Internet (the second-highest percentage in the Middle East, after Israel). And Iranians are proficient adapters of new technologies: Persian (Farsi) is now one of the ten most common languages used worldwide for blogging. This explains why the Iranian government expends great resources on slowing and censoring the Internet -- and why the United States and others should remove sanctions that prevent Iranians from communicating freely, both among themselves and with the outside world.

The State Department’s recent decision means that the Obama administration will now apply broad interpretations to various "exceptions" in the Iranian Transactions Regulations, which date back to 1995.

The State Department’s recent decision means that the Obama administration will now apply broad interpretations to various "exceptions" in the Iranian Transactions Regulations, which date back to 1995 and are promulgated by the Treasury Department. Under this law, the Treasury Department prohibits U.S. persons (defined as companies, citizens, or U.S. residents, regardless of their location) from certain commercial and technological interactions with Iran.

Previously, the Treasury Department’s Office of Foreign Assets Control (OFAC), the entity charged with administering U.S. sanctions on Iran, interpreted the regulations narrowly. Few goods, services, or technologies qualified as exceptions. For example, OFAC interpreted the regulations’ telecommunications exception to allow only telephone calls -- and not the sale of digital communications -- between Iran and the United States. It was thus a crime for U.S. companies to provide Iranians with Internet services, including many that are standard today, such as Web browsers, instant-messaging programs, and social-networking sites. Likewise, the information exception, which allows export of informational content and materials (such as academic publications and artwork), was also narrowly construed by OFAC. This also prevented instant-messaging programs and social-networking technology from being made lawful for export to Iran.

Developments in technology rendered OFAC’s approach grossly outdated, a fact implicitly acknowledged by the State Department’s recent instructions. But the law will still reflect an antiquated view unless OFAC takes additional measures. First, OFAC must issue a general license allowing companies to provide effective technologies to Iran (or invite parties to apply for specific licenses for that purpose). Unless OFAC issues a general license, individuals and nonprofits will still be required to go through the cumbersome and often arbitrary application process currently in place. Second, OFAC must clarify whether the current information exception -- which clearly excludes information itself, such as publications, films, posters, CDs, and other basic media from U.S. sanctions -- also applies to the complementary software used to access it. OFAC’s longstanding interpretation meant that Internet users were free to send information to Iran, but the software needed to access it was technically prohibited. Thus, software and technology companies such as Microsoft and Google had well-founded fears of U.S. government civil or criminal action against them and consequently blocked Iranian users from using their instant-messaging software. As recently as two weeks ago, the open-source software provider SourceForge blocked its software from Iranian users, citing U.S. sanctions concerns as the reason.

Given the unprecedented and potentially fleeting nature of the Green Movement’s strength, it is imperative that OFAC clarify the new State Department directives. First, the Treasury Department could issue a general license for mass-market communications and anti-filtering software. This would not only allow for the export of existing technologies but also support engineers interested in developing technologies for future distribution and purchase. To maintain safeguards over certain sensitive technologies, OFAC and the Treasury Department’s Bureau of Industry and Security could jointly review each application, as they currently do in other contexts, such as in the approval process for the export of medicines and medical devices.

Second, the U.S. Congress should pass the Iranian Digital Empowerment Act. First introduced in December 2009 in the House, IDEA notes that U.S. sanctions on Iran have had the “unintended effect of stifling Iranians’ access to the Internet and related Internet technologies.” The bill authorizes the export of software and services that would ease communication in Iran and allow Iranians to circumvent online censorship and monitoring efforts. It would help assure those companies and individuals that provide messaging services to Iranians that their actions do not violate U.S. law.

At the same time, IDEA is careful not to directly fund such tools or their dissemination to Iran. This is vital, as any direct involvement would feed the paranoia of Iran’s senior leaders about foreign governments fomenting a “velvet revolution.” Giving any legitimacy to that claim plays into the Iranian regime’s hands by granting them circumstantial evidence of foreign meddling when they have thus far been relegated to making bare allegations.

The world has recognized the courageous struggle of Iranian citizens to have their voices heard. The Iranian government, obsessed with maintaining its power at the expense of its citizens' freedoms, will eventually find itself on the wrong side of history. In the months ahead, the United States has the opportunity to restructure its sanctions policies so as to undermine -- rather than unintentionally support -- the Iranian regime’s bankrupt strategy.

Credits: Foreign Affairs: Technology in Green

A web video project: Iran Mozaik

Iran Mozaik is an inventive manner by which to explore the video footage taken by the 'citizen reporters' of the pro-democracy movement in Iran. As the project itself states:

"This video art creation is dedicated both to Iran's popular and democratic movement, and also particularly to all those anonymous "Reporter Citizens" who courageously circulate vital news from within the country, from places where professional media are barred from.

"Iran Mozaik Project" is a dynamic web project showing the current face of Iran according to the situation of the popular protest since June 2009 and the videos we receive through Youtube. 

As long as the struggle continues and courageous "citizen journalists" continue to send videos this map will continue to live.


This map will be different each time you will visit after major events. Thus the Iran of Ashura 2009 is different from the Iran of 22 Bahman 2009 and so on.


I hope one day it will freeze forever, not because we won't receive any image from Iran, but because the struggle of the people of Iran will be over and victorious!"


Follow this link to visit the project website: iranmozaik.com

Credits: Iran Mozaik