tehranbureau An independent source of news on Iran and the Iranian diaspora

Pulling the Strings of the Net: Iran's Cyber Army


26 Feb 2010 06:2910 Comments
iranhackers.jpg[ overview ] During the past few months, the activities of Iran's Cyber Army have attracted growing notice in the Iranian and international media. The suspicion that the Cyber Army's constituent hacker groups are connected to the Iranian government was strengthened when, after several sites were hacked, they issued warnings to the Green Movement. The scope of the measures taken by the Cyber Army discredits the theory that a group of Ahmandinejad's admirers spontaneously carried out such acts. The nature of their communications and of the sites targeted for attack indicate that there are hidden hands that support the Cyber Army.

A review of the political messages published by the Cyber Army in recent months and official statements in its defense made by a government administrator of Iran's aviation industry prompt a closer examination of the group, which previous reports have claimed is composed of Russian hackers based outside of Iran. What, in fact, is the Iranian Cyber Army and where is it actually based? Before answering these questions, a summary look at recent incidents involving the group is in order.

Attack on Twitter

On the morning of Friday, 28 Azar 1388 (December 19, 2009), connections with the Twitter website were severed in some parts of the world, and those who tried to access it were transferred to a message in English that read:

U.S.A. Think They Controlling and Managing Internet By Their Access,
But They Don't, We Control And Manage Internet By Our Power, So Do Not
Try To Stimulation Iranian Peoples To....
Take Care.

Attack on Baidu

On the morning of Tuesday, 22 Dey 1388 (January 12, 2010), Baidu, the largest Chinese search engine, was hacked. A message posted on it read, "The Iranian Cyber Army has been launched in protest against intervention by foreign and Zionist sites in our country's domestic affairs and the spreading of lying and divisive news." A cyberwar between Iran and China quickly erupted. Internet bases of the Iranian government, including the official websites of the president and Supreme Leader, were disrupted by hackers referring to themselves as the Honker Union for China.

Attacks on Iranian Sites

On 10 Bahman (January 30), the Iranian Cyber Army hacked the website of Radio Zamaneh. The site's front page was changed to a picture of the Islamic Republic of Iran's flag accompanied by the slogans "Ya Hosein (aleihum salam)" and "Persian Gulf" and the following text:

If the Leader commands, we attack
If he asks, we sacrifice ourselves
If he wants us to be patient and steadfast
We will sit down and take it in stride.

On 23 Bahman (February 12), those who tried to access the site of Jaras News, which publishes reports on the Green Movement, discovered this message from the Iranian Cyber Army on its front page: "Out of respect for the referendum which was held on 22 Bahman and the people who voted and out of respect for the great nation and country named Iran ... do not be a tool of those who live safe and sound in America and are using you as a tool."

A Prank on the Iranian Cyber Army

On 16 Bahman (February 5), the website Khodnevis, administered by Nikahang Kowsar, published the following in its satirical column "False News":

In an amazing and unprecedented step, the Iranian Cyber Army hacked
the Mehrabad Airport portal so that those who try to access the site,
namely airport workers, are directed to the Raja Rail Company when
they type in its URL. It is said that the attack occurred in the early
hours of the night and continued into Saturday, confronting the airport
with a serious crisis. The sudden occurrence of dozens of air
accidents in the skies over Tehran as a result of the tower's air
traffic control communications systems' failure was considered the
most dangerous consequence of the attack, threatening the
capital of Iran. Although experts believe that the attack was committed by
mistake and the technical difficulties were fixed an hour later, the
Iranian Cyber Army, after hacking the Mehrabad portal, placed a flag
of the Islamic Republic of Iran with a blue stripe [instead of the
green that properly runs across the top of the tricolored flag], along
with a message reading, "The Iranian Cyber Army warns all mercenaries
who would sell out their country that they will not be safe even in
the skies."

This satire, based in part on the real message left by the Cyber Army when it hacked Radio Zamaneh, was soon picked up by various Iranian news sites. Within a few hours later, rumors had spread that the Iranian Cyber Army had mistakenly attacked a government website, for which the group was widely ridiculed. Although the report was soon eliminated from the various sites that had first taken it from Khodnevis, the rumor continued to spread, to the point that several large companies immediately contracted with Internet security groups to strengthen their website firewalls.

The Reaction of a Government Administrator

Two days later, on 18 Bahman (February 7), Morteza Dehqan, acting manager of Tehran's Mehrabad Airport, addressed a group of journalists concerning the rumor. In the process of denying that an attack had been made on the airport's site, he called the reports "news blackmail," saying,

When foreign agents failed to achieve their filthy ends after the
elections, they tried to concoct a conspiracy based on an attack on
Tehran's international airport in order to disrupt the country's
security atmosphere. No such attack occurred on the airport's
website's portal and this news is a pure lie from start to finish. It
is clear that the counter-revolutionary media has discovered the
Iranian Cyber Army's power and, out of fear of its power, wishes to
launch accusations through which it can divert public opinion.

Nikahang Kowsar, who had already explained on Khodnevis the satirical origin of the rumor, reflected on Dehqan's pronouncement: "When Mehrabad Airport's acting administrator denied the report about the attack on that airport's website, he defended the Cyber Army's record, and we realized that our fake news had done its job. An official officer of the Islamic Republic defended the Cyber Army in such a way that it seems that this group is led by the [ruling] system."

The Formation of the Iranian Cyber Army

During the past eight years, many groups of hackers have formed in Iran, the best known of which include Ashiyaneh, Shabgard, and Simorgh. These groups, seeking notoriety and in competition with each other, have attacked various websites with near-complete impunity.

As reports of infiltration into government websites increased, the intelligence agencies became interested in the power of hacking tools and initiated a concerted effort to identify and control those employing them. The cooperation of identified hackers was sought in order to pinpoint and counteract their rivals. Hackers were eventually enlisted to teach their techniques to military technicians.

The Ashiyaneh collective was one of the first to join the circle of government-affiliated hackers. The group, including some of the country's most skilled hackers, set about wrecking the sites of the Islamic Republic's opponents. Reports of its activities were published in government media, such as Voice and Vision, Kayhan, and IRNA.

Alongside the hacker group's activities, nominally private companies have been established whose primary duty is to recruit infiltrating forces, train military personnel in cyber attacks, and import technology for the operation from Dubai. Among the managers of these companies is the son of a senior security officer. Running a company established through the military budget, he has been busy recruiting expert Iranian infiltrators and has begun to accept cyberwar projects.

How Group Members Are Chosen

The plan for the formation of an Iranian Cyber Army was raised in the Revolutionary Guards in 1384 (2005). As opposition to the government spread, the process of its realization was accelerated. The Cyber Army has a human resources unit in charge of
recruitment. When a professional hacker is identified, the unit contacts him and threatens him with imprisonment if he does not cooperate. Individual relationships and the flow of information are so tightly controlled that many participants are not even aware that they have been recruited as government collaborators and members of the Cyber Army. The
talent level of the Cyber Army is very high, and its record indicates a technical capacity comparable to similar groups operated by the American and Israeli intelligence agencies. Indeed, the Cyber Army is overseen by many of the same people who run the Revolutionary Guards' official cyberwar defense operation, the Center for Struggle with Organized Cyber Crime.

In Ordibehesht 1388 (May 2009), the Fars news service reported that the American military and security foundation Defense Tech had declared Iran's cyber forces among the five most powerful in the world, based on figures received from the CIA. Defense Tech estimated the Iranian Cyber Army's budget at 76 million dollars, and confirmed that it is run by a group from the Revolutionary Guards' cyber supervision team.

A Short Time to Execute Instructions

Iran's Cyber Army has so far not breached the servers of the websites it has targeted, but has contented itself with simply stealing access to their domains. This method indicates the temporal limitations under which the group operates. In the past few months, they have carried out orders using methods that can be executed swiftly. In the attack on Twitter, they hacked the computer of one of the company's officers with a Trojan horse and were able, by utilizing his email, to reset the domain of his control panel. The method was similar to that used in an attack five years earlier on a NASA website by an Iranian hacker group. In attacking Jaras and other Iranian sites, the Cyber Army has employed the DNS cache spoofing technique to divert traffic from the intended domain.

Photo: Not to be mistaken for the Greens, "Iran's Cyber Army" touts a Gmail address and flies a green flag for Shia's arch-martyr Imam Hussein.

SHAREtwitterfacebookSTUMBLEUPONbalatarin reddit digg del.icio.us


Unanswered: Why would an Iran government-backed group- acting on so-called orders- choose a Chinese internet entity to disrupt?

Doesn't make sense.

More than likely this is a group of attention seeking "privateers" of unknown origin.

Pirouz / February 27, 2010 8:31 AM


This is the same exact story that was posted on a green website several days ago with a new title. [Yes, Samuel. The author submitted it to Tehran Bureau through a contributor and wanted to see it republished. Ed.]

Samuel / February 27, 2010 1:18 PM


Why keep the readers in suspense? Name the guy and his company, please.

Ali from Tehran / February 27, 2010 8:42 PM

Fiddling while Rome burns

They should look into the seating plans, arrival Dinner menu, and docking order for the Titanic too

Shah / February 27, 2010 8:58 PM

Companies and Names involved:
1.Noujan, under supervision of Revolutionary Guard, www.noujan.net . List of clients consists of only Government Web sites.
2.Simorgh, under supervision of Hossein Asgari, son of an ex-intelligence agent and former head of Simorgh Security Team. Believed to be of the core staff of this "army".
3.Behrooz Kamalian, CEO of Ashiyane.

unnamed / February 28, 2010 1:28 AM

The author says:


Dear author, please don't keep us in nail-biting suspense. Identify the 'son' and name his company.

Ali from Tehran / February 28, 2010 1:41 AM

The level of paranoia with which the IRI regime seems riddled is both laughable and alarming, that it leads them to believe that because they employ all of these base means of staying in power, just as their Chinese teachers do, every other country must surely be using these methods to plot and achieve their overthrow; this despite their proclaimed 50 million regime supporters, a higher percentage than supposedly voted for AN in June '09!

So, if there are such a large majority out there backing them, why does the regime need to deal so harshly with who they once called dust or chaff, but now treat as though they were an invading army of overwhelming numbers?

The histrionics and tortured language the mullahs, the IRGC generals and their pet monkey AN use to simultaneously proclaim the "glory of the Islamic revolution" and then denounce the US, UK and Israel as the cause for every Iranian internal problem that instead are due entirely to their own incompetence, smack of their desperation in trying to keep a lid on a boiling cauldron.

No confident government with a true electoral mandate of the size the regime claims need go to such lengths to stifle the slightest dissent from their "party line" in order to remain in power.

And, if Allah truly ordained the creation of this governing system and its leadership and actions, he either must not be benevolent, for allowing its abuses of any of his children, or, if benevolent, not omnipotent, for lacking the ability to prevent them.

This is not a supreme being I wish to worship, and as for the IRI, this supposedly ultimate perfection in form of government and society, the world can see for itself that despite its inceasingly shrill pronouncements, it is on a march to oblivion, not ascendancy, let alone control of the entire world's population.

farzad / February 28, 2010 4:02 AM


Jim Brown / February 28, 2010 9:18 PM

Aside from the disruption of our military forces when they disable the internet. We should not let Congress do away with the Post Office. We have to keep the orgaization alive, like the pre-war National Guard and Reserve.
Beause when total disruption of the internet occurs, the Poney Express will be alive and well.


Edward / March 3, 2010 7:05 AM

I agree with much that has been said above. The problem with conspiracy theories is that they can run away on us.

My frustration these days is that there has been a coup d etat in the US. Wall Street, the Treasury and the Fed have taken over the Whitehouse, while the Pentagon does it's own thing with drug money from Afghanistan.

The recession was caused by Wall Street, and a number of "creative" financial mechanisms dreamed up by Pd.d.s in Math and Economists - the worst being derivatives (CDOs, CDSs. MBSs, etc). They went from bankrupting investors to institutions, to cities to states, then off shore to Iceland and Greece (as back doors) to the EU.

This cabal of bankers and global corporatists now run the country (and other), let's just say the West). Goldman even has a computer in the NYSE to front-run investors by a nanosecond, and nobody has stopped them.

Well, if there has been a cyber coup; there can be a cyber counter coup - if hackers have balls and any sense of what has happened. These guys/gals hack systems for fun, and pester the rest of us with childish viruses and Trojans for fun.

Why don't they grow up and take back power for their democratically elected governments - hack in and move money back to it's rightful owners. Don't be stupid and do anything illegal. This is about putting democratically elected government back in the driver's seat and putting the cyber boots to this cartel of banksters and corporate oligarchs who took over the country while nobody was looking or understood.

Why worry about foreigners - even though there is some legitimacy to that concern - when there has been a non-violent cyber cup that has brought the country to its knees. Take it back. Demonstrations and civil unrest are passe; all the people who have stocked up on guns and ammo are passe, but where are our tekkies. Agree or disagree, the people elected a national, state and municipal governments who were silly enough to back these Wall Street criminals with taxpayer money (some capitalist/corporatists they are; they turned socialist in a second flat).

Money is power. It belongs to the governments - the people; it should be returned non-violently. And then Obama and the Governors and Mayors had better get to work. Our enemy is within. Tekkies can restore the democratically elected governments and put the crooks where they belong. Elected governments can be slow and cumbersome, but rule by a totalitarian elite is something you don't want. Now sit their and whine - or put our elected leaders back in charge.

Jim Roache / March 11, 2010 1:19 AM