Pulling the Strings of the Net: Iran's Cyber Army
by FARVARTISH REZVANIYEH
26 Feb 2010 06:29
A review of the political messages published by the Cyber Army in recent months and official statements in its defense made by a government administrator of Iran's aviation industry prompt a closer examination of the group, which previous reports have claimed is composed of Russian hackers based outside of Iran. What, in fact, is the Iranian Cyber Army and where is it actually based? Before answering these questions, a summary look at recent incidents involving the group is in order.
Attack on Twitter
On the morning of Friday, 28 Azar 1388 (December 19, 2009), connections with the Twitter website were severed in some parts of the world, and those who tried to access it were transferred to a message in English that read:
U.S.A. Think They Controlling and Managing Internet By Their Access,
But They Don't, We Control And Manage Internet By Our Power, So Do Not
Try To Stimulation Iranian Peoples To....
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Attack on Baidu
On the morning of Tuesday, 22 Dey 1388 (January 12, 2010), Baidu, the largest Chinese search engine, was hacked. A message posted on it read, "The Iranian Cyber Army has been launched in protest against intervention by foreign and Zionist sites in our country's domestic affairs and the spreading of lying and divisive news." A cyberwar between Iran and China quickly erupted. Internet bases of the Iranian government, including the official websites of the president and Supreme Leader, were disrupted by hackers referring to themselves as the Honker Union for China.
Attacks on Iranian Sites
On 10 Bahman (January 30), the Iranian Cyber Army hacked the website of Radio Zamaneh. The site's front page was changed to a picture of the Islamic Republic of Iran's flag accompanied by the slogans "Ya Hosein (aleihum salam)" and "Persian Gulf" and the following text:
If the Leader commands, we attack
If he asks, we sacrifice ourselves
If he wants us to be patient and steadfast
We will sit down and take it in stride.
On 23 Bahman (February 12), those who tried to access the site of Jaras News, which publishes reports on the Green Movement, discovered this message from the Iranian Cyber Army on its front page: "Out of respect for the referendum which was held on 22 Bahman and the people who voted and out of respect for the great nation and country named Iran ... do not be a tool of those who live safe and sound in America and are using you as a tool."
A Prank on the Iranian Cyber Army
On 16 Bahman (February 5), the website Khodnevis, administered by Nikahang Kowsar, published the following in its satirical column "False News":
In an amazing and unprecedented step, the Iranian Cyber Army hacked
the Mehrabad Airport portal so that those who try to access the site,
namely airport workers, are directed to the Raja Rail Company when
they type in its URL. It is said that the attack occurred in the early
hours of the night and continued into Saturday, confronting the airport
with a serious crisis. The sudden occurrence of dozens of air
accidents in the skies over Tehran as a result of the tower's air
traffic control communications systems' failure was considered the
most dangerous consequence of the attack, threatening the
capital of Iran. Although experts believe that the attack was committed by
mistake and the technical difficulties were fixed an hour later, the
Iranian Cyber Army, after hacking the Mehrabad portal, placed a flag
of the Islamic Republic of Iran with a blue stripe [instead of the
green that properly runs across the top of the tricolored flag], along
with a message reading, "The Iranian Cyber Army warns all mercenaries
who would sell out their country that they will not be safe even in
This satire, based in part on the real message left by the Cyber Army when it hacked Radio Zamaneh, was soon picked up by various Iranian news sites. Within a few hours later, rumors had spread that the Iranian Cyber Army had mistakenly attacked a government website, for which the group was widely ridiculed. Although the report was soon eliminated from the various sites that had first taken it from Khodnevis, the rumor continued to spread, to the point that several large companies immediately contracted with Internet security groups to strengthen their website firewalls.
The Reaction of a Government Administrator
Two days later, on 18 Bahman (February 7), Morteza Dehqan, acting manager of Tehran's Mehrabad Airport, addressed a group of journalists concerning the rumor. In the process of denying that an attack had been made on the airport's site, he called the reports "news blackmail," saying,
When foreign agents failed to achieve their filthy ends after the
elections, they tried to concoct a conspiracy based on an attack on
Tehran's international airport in order to disrupt the country's
security atmosphere. No such attack occurred on the airport's
website's portal and this news is a pure lie from start to finish. It
is clear that the counter-revolutionary media has discovered the
Iranian Cyber Army's power and, out of fear of its power, wishes to
launch accusations through which it can divert public opinion.
Nikahang Kowsar, who had already explained on Khodnevis the satirical origin of the rumor, reflected on Dehqan's pronouncement: "When Mehrabad Airport's acting administrator denied the report about the attack on that airport's website, he defended the Cyber Army's record, and we realized that our fake news had done its job. An official officer of the Islamic Republic defended the Cyber Army in such a way that it seems that this group is led by the [ruling] system."
The Formation of the Iranian Cyber Army
During the past eight years, many groups of hackers have formed in Iran, the best known of which include Ashiyaneh, Shabgard, and Simorgh. These groups, seeking notoriety and in competition with each other, have attacked various websites with near-complete impunity.
As reports of infiltration into government websites increased, the intelligence agencies became interested in the power of hacking tools and initiated a concerted effort to identify and control those employing them. The cooperation of identified hackers was sought in order to pinpoint and counteract their rivals. Hackers were eventually enlisted to teach their techniques to military technicians.
The Ashiyaneh collective was one of the first to join the circle of government-affiliated hackers. The group, including some of the country's most skilled hackers, set about wrecking the sites of the Islamic Republic's opponents. Reports of its activities were published in government media, such as Voice and Vision, Kayhan, and IRNA.
Alongside the hacker group's activities, nominally private companies have been established whose primary duty is to recruit infiltrating forces, train military personnel in cyber attacks, and import technology for the operation from Dubai. Among the managers of these companies is the son of a senior security officer. Running a company established through the military budget, he has been busy recruiting expert Iranian infiltrators and has begun to accept cyberwar projects.
How Group Members Are Chosen
The plan for the formation of an Iranian Cyber Army was raised in the Revolutionary Guards in 1384 (2005). As opposition to the government spread, the process of its realization was accelerated. The Cyber Army has a human resources unit in charge of
recruitment. When a professional hacker is identified, the unit contacts him and threatens him with imprisonment if he does not cooperate. Individual relationships and the flow of information are so tightly controlled that many participants are not even aware that they have been recruited as government collaborators and members of the Cyber Army. The
talent level of the Cyber Army is very high, and its record indicates a technical capacity comparable to similar groups operated by the American and Israeli intelligence agencies. Indeed, the Cyber Army is overseen by many of the same people who run the Revolutionary Guards' official cyberwar defense operation, the Center for Struggle with Organized Cyber Crime.
In Ordibehesht 1388 (May 2009), the Fars news service reported that the American military and security foundation Defense Tech had declared Iran's cyber forces among the five most powerful in the world, based on figures received from the CIA. Defense Tech estimated the Iranian Cyber Army's budget at 76 million dollars, and confirmed that it is run by a group from the Revolutionary Guards' cyber supervision team.
A Short Time to Execute Instructions
Iran's Cyber Army has so far not breached the servers of the websites it has targeted, but has contented itself with simply stealing access to their domains. This method indicates the temporal limitations under which the group operates. In the past few months, they have carried out orders using methods that can be executed swiftly. In the attack on Twitter, they hacked the computer of one of the company's officers with a Trojan horse and were able, by utilizing his email, to reset the domain of his control panel. The method was similar to that used in an attack five years earlier on a NASA website by an Iranian hacker group. In attacking Jaras and other Iranian sites, the Cyber Army has employed the DNS cache spoofing technique to divert traffic from the intended domain.
Photo: Not to be mistaken for the Greens, "Iran's Cyber Army" touts a Gmail address and flies a green flag for Shia's arch-martyr Imam Hussein.