Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyber espionage operation equipped with surveillance tools that can outsmart encrypted messaging systems, a capability Iran was not previously known to possess, according to two digital security reports released Friday.
The operation not only targets domestic dissidents, religious and ethnic minorities and anti-government activists abroad but can also be used to spy on the public inside Iran, said reports by Check Point Software Technologies, a cyber security technology firm, and the Miaan Group, a human rights organization that focuses on digital security in the Middle East.
The reports say the hackers have successfully infiltrated mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications like Telegram and, according to Miaan, even gaining access to information on WhatsApp.
The hackers have also created malware disguised as Android applications, the reports said.
A spokesman for Telegram said the company was unaware of the Iranian hacker operation but that "no service can prevent being imitated in 'phishing' attacks when somebody convinces users to enter their credentials on a malicious website".
WhatsApp declined to comment.
The reports suggest significant advances in the competency of Iranian intelligence hackers. And they come amid warnings from Washington that Iran is using cyber sabotage to try to influence the US elections.
Federal prosecutors on Wednesday identified two Iranian individuals they said had hacked into US computers and stolen data on behalf of Iran's government and for financial gain.
"Iran's behaviour on the Internet, from censorship to hacking, has become more aggressive than ever," said Mr Amir Rashidi, director of digital rights and security at Miaan and the researcher for its report.
According to the report by Check Point's intelligence unit, the cyber espionage operation was set up in 2014 and its full range of capabilities went undetected for six years.
Miaan traced the first operation to February 2018 from a malicious e-mail targeting a Sufi religious group in Iran after a violent confrontation between its members and Iranian security forces. It traced the malware used in that attack and further attacks in June this year to a private technology firm in Iran's north-east city of Mashhad named Andromedaa.
Miaan researchers determined that Andromedaa had a pattern of attacking activists, ethnic minority groups and separatist opposition groups but also had developed phishing and malware tools that could target the general public.
The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report.
Among the most prominent victims of the attacks, the reports said, are the Mujahedeen Khalq, or MEK, an insurgent group that Iranian authorities regard as a terrorist organization; a group known as the Association of Families of Camp Ashraf and Liberty Residents; the Azerbaijan National Resistance Organization; citizens of Iran's restive Sistan and Balochistan province; and Hrana, an Iranian human rights news agency. Human rights lawyers and journalists working for Voice of America have also been targeted, Miaan said.
According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets.
One of these is a Persian-language document titled The Regime Fears The Spread Of The Revolutionary Cannons.docx, referring to the struggle between the government and the MEK, sent to members of that movement.
Another document was disguised as a report widely awaited by human rights activists on a cyber security researcher. These documents contained malware code that activated a number of spyware commands from an external server when the recipients opened them on their desktops or phones.
According to the Check Point report, nearly all of the targets have been organizations and opponents of the government who have left Iran and are now based in Europe. Miaan documented targets in the United States, Canada and Turkey as well as the European Union.
NYTIMES