Between breaking into the email accounts of United States government officials, political dissidents and international human rights organizations, Iranian hackers liked to joke about their slow internet service, poor pay and lack of skilled colleagues.
In conversations obtained by security researchers, the hackers groused like any other start-up employees, often frustrated by their lack of progress and inability to carry out more grandiose schemes.
But the work being discussed had global ramifications, and painted a picture of how Iranian hackers have matured over the last decade from defacing websites with crude photos and slogans. Now, they appear to be an organized work force, starting systematic cyberespionage campaigns aimed at promoting Iran’s interests around the world and on curbing dissent within the Islamic Republic.
In a report published on Thursday by the Carnegie Endowment for International Peace, Collin Anderson, an independent cybersecurity researcher, and Karim Sadjadpour, a Carnegie senior fellow, followed nearly a decade of the day-to-day activities of Iranian hackers.
Their report on Iran’s improving capabilities arrives as anti-government protests in the country enter their second week, prompting the regime to shut down access to the internet under the claim that it is being used to spread “violence and fear” among protesters.
Iran has long spied on the online activities of dissidents, but it has recently turned to cyberespionage campaigns aimed at the United States, according to recent reports by security firms. Those campaigns have left a trail of digital crumbs, allowing researchers to paint a vivid picture of whom Iranian hackers target — and when.
“Through their carelessness, we were able to get a real picture of who these individuals are and what their goals are,” said Mr. Anderson, who has been researching Iranian hackers for more than five years.
The hackers appeared to be testing malicious software on themselves or accidentally clicked on malware they were developing. Either way, they exposed activity on their own computers, inadvertently giving researchers a glimpse into their lives through chat logs, emails and the targeting of their victims.
One six-month chat log between two Iranian hackers gave particular insight into how they ran their day-to-day operation. By tracing where and how web domains were registered, as well as other data found online, Mr. Anderson concluded that the aliases “mb_1986” and “ArYaIeIrAN” represented two Iranian men whose real names were Mojtaba Borhani and Behrouz Keshvari.
Neither replied to a request for comment sent to email addresses referred to in their chat logs.
Both had roots in the Iranian defacement community, which would attack and take over websites and Twitter accounts, replacing them with pro-Iranian slogans and images.
Over time, the two become more sophisticated, developing malware as they moved between Iranian hacking groups. Recently, the men have been tied to a group known as “Charming Kitten” by security companies. The group is believed to be responsible for a range of attacks, including targeting aviation companies in the United States.
The chat logs showed two men frustrated with the pace of their work.
“We need someone for Mac in Tehran,” Mr. Keshvari wrote on June 15, 2014, bringing up a topic the two men had discussed nearly a month earlier. The best hackers, he complained, were making “good money” elsewhere, and were not tempted by the idea of moving to Tehran to work in a cramped office for roughly $780 a month. There should be some other benefit, Mr. Keshvari joked, at one point suggesting they offer to send prospective hires on vacation to Turkey and Thailand.
Mr. Keshvari appeared focused on bringing in prospective new hires, but he was often stymied by Mr. Borhani. On May 30, 2014, he complained that Mr. Borhani had scared off prospective new hires.
“Listen, if during the interview you ask them about working with SCADA, I will kill you,” Mr. Keshvari wrote, referring to the operating system used to control industrial facilities, such as power plants or oil and gas refineries.
Mr. Keshvari responded that he “does not do the interview in this way.” And after several profanities were exchanged, the two agreed to meet with a new recruit.
“We need them … send them here,” Mr. Borhani wrote. He repeatedly pressed for programmers with expertise in Mac operating systems.
Their focus on hiring people with an expertise in Apple products, specifically the Mac operating system, was unsurprising, Mr. Anderson said, given that many of Iran’s dissidents and human rights workers had transitioned to Apple products in the hopes that they would prove more secure than Microsoft’s Windows software.
Last year, the first reports surfaced that Iranian hackers had developed malware targeting Macs. The malware stole victim’s passwords, and it has been used to target Iranian dissidents as well as the defense contractors in the United States, according to Mr. Anderson’s report.
“Imagine them like start-ups who are contracted to the government,” Mr. Anderson said. “They are chasing demographics that the government has an interest in targeting.”
The two men often discussed names and shared phone numbers of people they were working with, and one individual appeared to warrant deference. A figure named only as “Hajji,” a title widely used in the Muslim world to denote someone who carries out the hajj, a sacred pilgrimage to Mecca, appeared to frequently visit the men and make final decisions on whom they could hire to help with various projects.
“It seems likely that Hajji is an Iranian government handler,” Mr. Anderson said. Iran’s government, he added, is careful to not directly tie itself to hackers involved in offensive operations. Iran’s government also probably operates a separate cyberwarfare department, though the people it employs there appear more skilled and better at covering their tracks, he said.
“The vast majority of their most recent operations focuses on cyberespionage,” Mr. Anderson said, a statement echoed by John Hultquist, director of intelligence analysis at the FireEye cybersecurity firm, which recently published its own report about one of Iran’s more active hacking groups.
In the year since President Trump took office, Iran has focused its efforts on infiltrating the computers of anyone associated with the president, Mr. Anderson said.
“They are clearly trying to gain any insight they can as to what this administration is going to do vis-à-vis Iran,” he said. “They are very persistent, but we don’t know their level of success.”
There are few who know Iranian hackers persistence better than Thamar E. Gindin, an Iran specialist from Shalem College of Liberal Arts in Israel.
In May 2015, Ms. Gindin was the “patient zero” in an attack by Iranian hackers, who infiltrated her computer through a malicious email and used it to try to gain access to other academics studying Iran, according to a report published by the Israeli cybersecurity firm ClearSky.
With the help of ClearSky, the hackers were booted from her system. But in the two years since, they have tried almost monthly to get back in through a number of ploys playing to her personal interests — including posing as reporters from the BBC who hoped to interview her, and sharing a file on “unique chocolates” after she wrote a post on Facebook promoting her cousin’s chocolate business.
Among the groups targeting her are Charming Kitten, the group Mr. Borhani and Mr. Keshvari had been linked to.
“I feel like we are playing a game. I have to admit, I kind of like them,” Ms. Gindin said. “They are persistent and stubborn, but they aren’t very smart all the time. It’s really like a game.“
Source » nytimes