Project “Pistachio Harvest”

Months of research in Iranian networks is uncovering at least 16000 systems controlled by Iran outside borders and 2000 of these were infected machines of businesses in the US, Israel and other countries.

Many of the Internet Protocol addresses (IPs) of those machines are hosting .ir websites, domains that are used as platforms for attacks. According to the company, in many cases visitors to those sites are later infected with malware, software designed specifically for surveillance and to obtain valuable data from target organisations.

Most targets are in the US although attacks have also hit including UK, Israel, Germany and Canada. Various US and European hosting companies also have been abused. Cloud and hosting services of industry giants like Amazon and GoDaddy are used to launch the attacks.

Norse believes previous research into Iranian activity may included false assumptions about the actors involved as Iran has been able at creating disinformation and used more than 5000 fake social networking profiles to trick viewers to following tracks to nobody and nowhere.

iSight released a report and claimed that these fake profiles were used to spy on military leaders and political staff across the world.

Norse set up fake systems that appeared to belong to businesses and critical infrastructure providers that was attractive to attackers. The organization collected data of subsequent attacks and traced a large number to Iran. Norse also used “millions of sensors dropped all over the world” and analysis tools for tracing.

Turkey and Iran collaborate on cyber issues and is reported that Turkey in exchange for oil and other goods helped Iran circumvent US and European sanctions that were implemented in response to that country’s nuclear programs.

Rival security research firm CrowdStrike says that it tracks four different Iranian groups that it calls Kittens. Each Kitten is separate from the other and has its own modus operandi and target list. Finally there is Cutting Kitten.

Role of Iran’s Universities

Islamic Republic of Iran has other ways in encour aging IT entrepreneurs follow its commands. For example the role of government in Iran’s university system is enormous. The regime invested large amounts in building IT and other scientific infrastructure at the top educational institutions including Sharif Univer sity of Technology, Shahid Beheshti Universityand IRGC linked Malek Ashtar University and in return can direct research in ways to pursue regime objectives.

The development of Iran’s nuclear weapons program after 2003 is an example for understand ing the evolution of the relationship between gov ernment, security services and universities in IT. When Supreme Leader Khamenei ordered stop to Iran’s state nuclear weapons research program after the US invasion to Iraq in 2003 and his lieutenants built a new structure that spread rel evant research through the university system.

The scale and effects of this effort are visible but assessing the level of awareness and or willingness of all the univer sity participants in it is not easy and Iran’s IT sector works in a similar fashion. Government and secu rity institutions collaborate with universities in research to achieve government aims and make faculties and students components of regime strategic efforts. Students after graduation find themselves in a network of associations and research projects that mostly also supports regime priorities, whether they know or not.

The Islamic Republic also uses incentives created by mandatory military service to encourage aspiring young programmers to support state security efforts directly. At least one scientist involved in research related to development of nuclear weapons writes in his resume that he was exempted from com pulsory military service in exchange for work on a project deemed useful to the armed forces. This pro gram of exemption was developed in 2007.

Therefore Iran’s leaders have carefully and consciously built national IT, education and corporate infrastruc tures that produce excellently educated developers with incentives to pursue government objectives and not use skills against the government. They have involved Iran’s security organs especially the IRGC, through these structures in ways to allow the regime uses these IT and hacking capabilities with plausible deniability. In addition they have built an internet infrastructure designed to hide the sources of malicious activity and give the government the ability to monitor, regulate and control citizens access to the internet in extremely detailed ways.

Full details of the Norse Project Pistachio Harvest report are found here: