27 March 2023

The Scorched-Earth Tactics of Iran’s Cyber Army


IN THE EARLY hours of January 5, a popular anonymous Iranian dissident account called Jupiter announced on Twitter that his friends had killed Abolqasem Salavati, a maligned magistrate nicknamed the “Judge of Death.” The tweet went viral, and thousands of jubilant people poured into the account’s Twitter Space to thank them for assassinating the man responsible for sentencing hundreds of political prisoners to die.

Soon, however, a few attendees voiced doubts over the veracity of the claim. They were cursed at and kicked out of the room, as the host insisted, “Tonight is about celebration!” while repeatedly encouraging viewers to make the Space go viral. The next day, activists on the ground and Iranian media confirmed that Salavati was, in fact, alive. Several experts suspect Jupiter to have been an Islamic Republic of Iran cyber operation aimed at distracting people, while the Iranian government executed two protesters the same night as the Twitter Space.

Within its borders, the Iranian regime controls its population through one of the world’s toughest internet filtering systems, physical crackdowns, and mass arrests carried out with impunity. However, the IRI is vulnerable beyond its physical and virtual borders, as the regime struggles to contain the discourse and silence dissidents. To combat opposition narratives in the West and among VPN-armed domestic activists online, the IRI cyber army deploys multifaceted, devious, and sometimes clumsy tactics. With the ongoing political unrest in Iran, old cyber tactics have been ramped up, and new tricks that aim to distract, discredit, distort, and sow distrust have come to the fore as the regime finds itself in a critical moment.
Desperate Times, Desperate Measures

Among the tactics used by the IRI’s cyber agents—known colloquially as Cyberi—is old-school hacking. The Iran-linked hacker group Charming Kitten gained notoriety in 2020 for its spear-phishing attempts on journalists, scholars, and policy experts in the West. The group was recognized by its signature strategy of pretending to be reporters or researchers and feigning interest in their targets’ work as a pretext for setting up interview requests embedded with a spear-phishing link. Recent reports from the UK government’s National Cyber Security Center and security firm Mandiant found that such spear-phishing activities cyber groups TA453 and APT42, which are affiliated with the Iranian Revolutionary Guard Corps, have been increasingly prevalent. Last month, the popular anti-regime account RKOT claimed to have received an interview request geolocated to an IRGC department in Shiraz from an individual purporting to be a journalist from The New York Times.

According to Amin Sabeti, founder of CERTFA, a cybersecurity collective specializing in uncovering state-backed Iranian cyber activities, these operations have shifted their methods over the past few months, since most targets of interest are aware of the threat and have learned to protect themselves from spear-phishing. Instead, Sabeti says, they now use a “domino effect” strategy by taking aim at low-profile targets, whose credentials they harvest in order to build trust and gain access to higher-profile targets in their network. Early this month, for example, the Iranian Canadian human rights activist Nazanin Afshin Jam said that she received a spear-phishing link from a trusted colleague who had been hacked.

“Right now, they go after everyone who they are interested in, in terms of this revolution, especially people who are working in nonprofits,” Sabeti says.

Notably, some of these state actors establish credibility and trust over time by masking themselves as anti-regime voices and ardent supporters of the protest movement, or by building relationships with targets. One account by the name of Sara Shokouhi was created in October 2022 and claimed to be a Middle East scholar. The account spent months boosting opposition voices and writing heartfelt tributes to protesters before finally being outed by Iran experts as a state-sponsored phishing operation.

The ongoing protest movement in Iran has also given rise to more intense disinformation campaigns on social media. It is difficult to attribute the activities of anonymous accounts to the Iranian regime with certainty, since many regular Iranians are anonymous for security reasons. Occasionally, however, sloppiness—failing to delete old tweets or accidentally posting pro-regime messages on opposition sock puppet accounts—have revealed their likely affiliation with IRI intelligence.

The fast-paced, chaotic environment during protests within Iran has been ripe for disinformation and information pollution, making it too overwhelming to verify every claim even for researchers, says Simin Kargar, a nonresident fellow at the Atlantic Council’s Digital Forensic Research Lab.

According to Kargar, the prospects of IRI disinformation operations shifting the narrative in the regime’s favor are slim. However, its cyber activity has had the effect of sowing doubt, where no one is sure what is true and who is trustworthy.

“Iranian information operations haven’t been successful in terms of the region and the type of attention they tend to draw,” she says. “But if their sole accomplishment in this situation is to make everyone doubt whatever is said, even by credible people, that's a big accomplishment for them. It's about creating a climate of fear and intimidation more than making people believe them. Because at this point of 44 years of the Islamic Republic, no one believes what they say.”

No One to Trust

Although widespread vigilance against IRI state actors has made the public less susceptible to propaganda tactics, it has simultaneously created an environment of distrust, where anybody is potentially a regime goon.

A recent study by Hossein Kermani, a political communications researcher at the University of Vienna, outlines the various tactics deployed by the Iranian cyber army that muddy the waters: “Downgrading discussions to the level of the government, justifying the state’s policies, cheering up other users, portraying that everything is normal, redirecting debates, spreading fake news, trending misleading hashtags, and mocking dissidents and activists.”

Some of these strategies were used to accuse the two journalists who covered the death of Mahsa Amini of being Mossad agents, portraying the prominent Iran-based activist Sepideh Qolian as “mentally ill and hysterical,” and pretending to be activists calling for violent uprisings in order to justify violent crackdowns. Pro-regime accounts also mimicked and hijacked anti-regime hashtags, which were subsequently flooded with pro-regime misinformation. And IRI cyber forces boosted the “Do execute” hashtag in response to activists trending “Do not execute” against the string of death penalty verdicts against protesters.

Beyond causing confusion, discrediting and undermining opposition has been an essential component of Iranian cyber activity. This has partially been pursued by hacking opposition figures directly but also through sock puppet accounts, which pit one faction of the opposition against another.

Kargar, of the Atlantic Council, believes that the Iranian cyber response to the recent anti-regime movement signals a smarter and more prudent approach. She describes how regime-affiliated cyber groups hack as much as possible and hold onto their material, sometimes for years, only to release it when it can have maximum effect. These efforts are part of a wider effort to create the impression that nobody is trustworthy and nobody is credible, she says.

In late 2022, for instance, actress and activist Nazanin Boniadi began publicly collaborating with the son of the former shah, Reza Pahlavi, another popular opposition figure. Amid their attempts to present a unified front against the regime, the IRGC-affiliated hacker group Adl-e Ali sought to sow division by leaking old emails of Boniadi criticizing Pahlavi’s base of staunch monarchist supporters. With Pahlavi seeing a surge of popularity and credibility in the eyes of Western media in recent months, the hacker group has attempted to embarrass and discredit him by leaking old private photos and videos of Pahlavi snoring in his sleep, lying on the beach, and attending parties.

“If you can't win the hearts and minds, you might as well try to make everyone lose hearts and minds in one another. If you can’t win—make everyone else lose. That’s basically how they have been operating,” Kargar says.

While the regime might have lost the battle for the narrative, it has still had some successes, such as the “Judge of Death” distraction. Sabeti, the cybersecurity expert, believes that the case was an attempt by IRI cyber forces to test the waters toward future activities.

“I think it was to maybe the test the waters, to see how they can manage to change the narrative for the next [execution],” Sabeti says. “Because everyone knows it’s not the end of the story.”

No comments: