Desperate Iranian Ideas For Social Media Control

Mohammad-Ali Movahedi Kermani: not liking the Internet

In the latest desperate attempt to subvert the freedom of Iranian expression, the regime wants to enforce permits for foreign social network applications, such as Telegram and Instagram, with membership of 5000 or more users. The desire for such control also extends to other domestic platforms including Salam Up, Soroush, BisPhone, Cloob and Syna, along with advertising, news and entertainment channels on social media networks.

The cleric Mohammad-Ali Movahedi Kermani thinks that the Internet is a threat to Islam, because the Internet is full of rampant “tele-sex” and in his eyes is ultimately “immoral”. So concerned is Movahedi Kermani, that he puts the importance of subverting such “evil” as being above electoral issues or other pressing concerns, such as use of the Hijab.

 
Mahmoud Vaezi: deluded

Telecommunications Minister Mahmoud Vaezi thinks that channels with 5000 or more members should require permits so that the poor naive Iranian population can be assured such channels will not be fooling them with false information. Vaezi has been involved in Iran’s “filternet”, after Ahmadinejad‘s attempts in 2007 to “control” the Internet, and now the replacement “national-Internet” or Shoma, is vainly trying to do the same thing. Badly.


The Deputy Culture Minister for Communications Technology and Digital Media, Ali-Akbar Shirkavand, also wants a website that will soon be launched for administrators of such “channels” to register and continue their activities after authentication. The fear is, such controls by the regime could affect the opinions of journalists, artists and celebrities.

 
Cyber Police (FATA): Losing the plot
 

FATA chief, Brigadier General Kamal Hadianfar said that Telegram is the main platform for cybercrimes among mobile social networks. “The platform for 66% of the crimes is Telegram, while Instagram accounts for 20% and less than 2% is observed on WhatsApp,”  he said, without clarifying what “cybercrimes” were being committed via such applications… perhaps they include (according to Shirkavand anyway) copyright infringement and the sale of “immoral” goods on such channels. 

 
Kamal Hadianfar: battling the “evils” of social networks
A reality check: discord and feasibility
 
The regime’s desire to crack-down on Internet freedoms is at odds with an overtly more liberal stance on such technology by Hassan Rouhani; Rouhani calls for more freedom of expression, but everyone else wants to suppress it #awkward. For example, Attorney General Hojjatoleslam Mohammad-Jafar Montazeri wants to shut down what he calls “anti-religion” networks and said of them: “Down with the freedom that is destroying everything…this is absolute enslavement”.
 
There is also the minor issue (conveniently overlooked by the regime) of Iran’s inability to see the encrypted communications of platforms such as Telegram, and vain requests to get access to servers that must be placed in Iran are naive, at best. Also, what are the sentences to be expected by such “cybercriminals” who would dare to use such platforms? The whole thing is a joke and everyone knows it (even the regime).
  

Iranian Hackers Using “Mamba” Ransomware?

Are Iranian hackers involved in using the “Mambaransomware (or possibly be behind the ransomware)? It seems unclear but an article in November by Brian Krebs indicate there could be a connection.

What is Mamba?

According to Sophos, the Mamba ransomware scrambles every disk sector, including the Master File Table (MFT), the operating system, all applications, files and all personal data. Mamba installs the DiskCryptor Full Disk Encryption (FDE) tool (this type of software asks for a password at bootup, and decrypts every sector as it is read/encrypts every sector as it is written).

The details

The infection vector Mamba uses is not exactly known, but probably uses social engineering in the form of an email link for a user to click on. 

If a user does stupidly cause the Mamba ransomware to be downloaded, then on Windows system they would see the user account control (UAC) window appear asking to install MAMBA.EXE (!) What happens next if the software is allowed to install is:

  • Mamba installs itself as a Windows service (called DefragmentationService) using the local SYSTEM privileges.
  • The computer then reboots.
  • After reboot, Mamba then installs DiskCryptor and is located in the directory C:DC22.
  • At this stage, the user could recover their computer (the encryption is not complete): using the utility DCRYPT and selecting the Decrypt option, the user can see in plaintext, the file called log_file.txt will contain the password! However, if the user allows the computer to reboot beforehand, then the computer will be encrypted and the user has no way to know the password.
On older Windows system using Master Boot Records (MBR) on the hard drive, you will see something similar to what the Petya ransomware uses; on newer Windows systems, you wont see the message. In both cases, your only option is to wipe your hard drive; all data is gone.

The link with Iran

The blog of Brian Krebs(krebsonsecurity.com) shows that Iranians may have used Mamba against targets, including the San Francisco Municipal Transportation Agency (SFMTA). Fare station terminals displayed the message, “You are Hacked. ALL Data Encrypted.” The messaged showed that the contact for the key to decrypt the computers could be obtained by contacting the email address cryptom27@yandex.com


According to Krebs, the email address of cryptom27@yandex.com was hacked by another hacker, who found the same credentials worked for the crytom2016@yandex email account. A server identified used in association with the user of the cryptom2016 account was used to scan for various vulnerabilities on the Internet, including for Oracle products, especially “Weblogic unserialize exploit” and the Primavera project portfolio management software.

The server used to launch the Oracle vulnerability scans had detailed logs about the date, time and Internet address of each login. A review of the more than 300 Internet addresses used to administer the server revealed that it has been controlled almost exclusively from Internet addresses in Iran

The attack server logs also included web links or IP addresses of each victim server, listing the hacked credentials and having notes made next to each victim by the attacker. The notes appeared to be transliterated Farsi

User account names on the attack server held other clues of Iranian involvement, such as names like “Alireza,” “Mokhi.” Alireza may pertain to Ali Reza, the seventh descendant of the prophet Muhammad. However… these are common names in and around Iran and could also indicate surrounding countries of origin (such names is also popular in Turkey and the Arab world). 

I would say, knowing what my country is capable of, that the Iranian state or Iranian cyber criminals ARE involved in using Mamba ransomware to extort money to further other cyber activities.

  

The Strange Death of an Iranian IRGC Cyber Commander

Funeral reception of Mohammad Hussein Tajik

News of the assassination of an Iranian Cyber manager has recently been released. Mohammad Hussein Tajik, the cyber manager of the Iranian Revolutionary Guards Corp (IRGC), was assassinated in his home in July 2016. His torture and death seem strange…read on.

History

Mohammad Hussein Tajik was an accomplished mathematician (having being a Silver medalist at a Mathematical Olympiad, which is a great award in Iran and opens many doors).Tajik’s career up to March 2013 involved:

  • Technical office at MOIS (Iranian Ministry of Intelligence)
  • IRGC Sarollah Headquarters (responsible for the security of Tehran and the surrounding province)
  • Deputy Head of the Kheybar Corps (responsible for stopping religious or civil disorder)
  • IRGC Quds Force (Special operations unit that operates abroad)

Arrest & Detention

In March or April of 2013, Tajik was arrested on charges of spying and he was then taken to the MOIS detention center at Hejrat. A court summons for Tajik was issued on 13th July 2013. After that, Tajik was taken in August or September 2013 to the 209 Wing of Evin prison.

Court summons for Mohammad Hussein Tajik


Interrogation & Torture

According to the Christian website vocir.org, Tajik was tortured and his confession was extracted by means of having boiling water poured on his penis and being held for 6 months in a deep pit (or “grave”) with a bright light shone on him constantly.

The Death of Tajik

After Tajik’s release, it was reported that he was, sometime in early July 2016 (believed to be the 7th of July), talking on the telephone to a “news source” when his father (a MOIS operative), along with another MOIS operative, entered his home and at that point Tajik had told the “news source” that he would call him back in an hour. Tajik never called back because he had been murdered by his own father and other MOIS operative.

It was reported that Mohammad Hussein Tajik’s body was very bloody (indicating a violent death) and that his body was covered in plastic bags before being covered in a burial shroud, to prevent the blood showing. It is stated that MOIS demanded that no autopsy be carried out, obviously to try and cover up the murder.

An unconvincing forgery

As if it were not odd enough that a MOIS operative would kill his own son (MOIS and IRGC do not get on), but killing your own son is extreme, even for MOIS… the official letter (see below) concerning Tajik’s case looks like a forgery or is the work of an intelligence agency? You decide. The document looks odd because we’ve all seen leaked official documentation and this does not look genuine. Why?:

  1. Where is the letterhead in such an “official” document?.
  2. There are multiple spelling mistakes. 
  3. For an official document, the writing style is too informal.
  4. Why can we not see the document reference number or the signature?.


Letter informing the court of witnesses who are linked with the case

References:

  

Bypassing Iran’s National Information Network (ShoMA)

Following my previous articles on Iran’s “filternet” and the new (sort of) National Network (ShoMA) which are both attempts from the government of Iran to block internet access for Iranians (officially just to create a “clean” Internet, free of security threats and un-Islamic content), this article suggests some options to bypass ShoMA. It may be a case of cat-and-mouse between being able to access a site to download the software in the first place, before you can then bypass ShoMA. The regime can’t block everything, so basically there will ALWAYS be a way to bypass ShoMA

There is much talk online by Iranians in supporting ShoMA! You must wonder if they are supported by or live in fear of the regime

I think as it’s impossible for the regime to block access to all Internet websites, ShoMA could perhaps be most effective (assuming you cannot bypass it) at throttling Internet access speeds to sites anywhere outside of the ShoMA Intranet.

Smartphone access

The Iranian regime is finding it hard to combat the massive market for smartphones accessing Western-based social media applications which the regime is trying to ban/block/discourage such as WhatsApp, Viber, and Telegram. More Iranians access the Internet via their smartphones than they do from PCs/laptops, etc. which mirrors how most people around the world access the Internet.

The regime is trying to encourage Iranians to use domestic equivalent applications via Iran’s equivalent to Google Play, for example, but why would anyone want to do that when they can continue to get access to the rest of the Internet and speak with friends outside of Iran?

Anonymous VPNs

Just Google for “iranian vpns” shows some likely providers which are popular in Iran right now (2016), such as the following:

  1. NordVPN
  2. IPVANISHVPN
  3. SAFERVPN
  4. VPN AREA
  5. VYPRVPN
  6. TorGuard VPN

Obvious/not-so-obvious features to look for in a good Anonymous VPN are:

  • SSL tunnels for encryption of traffic (not much point using a VPN if it cannot do this!).
  • “Stealth” features that will bypass DPI (Deep Packet Inspection) firewalls & unlike normal VPN traffic which can be filtered or blocked by an ISP, services will appear as regular HTTPS traffic making it virtually impossible to block (you will have the double protection of using a VPN and proxy). TorGuard’s Stealth VPN Service, for example, offers this. See here for details. You can view a video on this feature here.
  • Unlimited server switching and IP addresses.
  • Application support to run on your phone as well as your PC.
  • Use a combination of VPN and online stealthed proxy servers or use VPNs with Tor (very slow/may be blocked!).

Other previous popularly downloaded VPN software in Iran (some of which may now be blocked, so check!) by platform (Windows PC or Android) are/were:

Windows: 

  • Psiphon 3
  • Freedome
  • Hotspot Shield
  • Lantern
  • Ultrasurf
  • Freegate

Android:

  • Hotspot Shield
  • Psiphon
  • F-secure Freedom VPN
  • Rakhsh
  • Hola
  • Gospeed
  • Tunnelbar
  • ShellFire
  • GoVPN
  • Haftkhan VPN
  • FreeVPN In Touch
  • North Ghost Touch VPN
  • Your Freedom VPN
  • Globus VPN


Tor/Orbot

Tor is used less in Iran than previously, because it’s easier for the regime to block the traffic, and because the speeds are VERY SLOW, so VPN access will always be sought by Iranians in the balance between speed of access and security/anonymity. Tor may work even if standard VPNs, proxies, and SSH tunnels will not.

Online proxy servers

These are sites where you can either get in or get out of Iranian networks and are sites which the regime may try and block/the servers themselves may only be temporary. Typically comprise HTTP (for speed, not security) or HTTPS (for security) connections typically connecting via ports 8080; 80; 3128 or 8888. You simply set your browser to use the socket proxy settings so all traffic goes through that proxy. Some example sites that list Iranian proxy servers are:

SSH Tunnels

You may be able to access a server you already pay for and connect to it via the SSH (Secure Shell) protocol; you can then tunnel all your traffic via that server. If SSH connections are blocked, then you won’t be able to connect to the server.

DNS Filtering

This is least likely to work, but involves changing the DNS servers through which to request. Some Internet service providers have implemented filtering by changing their DNS servers to redirect requests for the blocked websites to another website. Examples include OpenDNS or Google public DNS servers, but these would be likely blocked by ShoMA.

Satellite access: a fantasy?

Assuming you can afford this expensive option and can get a subscription and a portable VSAT (Very Small Aperture Terminal), then satellite Internet access could be a way to bypass ShoMA, as the regime will not have access over satellite providers and they cannot disrupt or jam all such connections? VSATs are used in Internet cafes but you would need to present your national ID in such places…

The cost to purchase and run is very high and would need to be shared by many people to be affordable, so is maybe just a fantasy.

  

Iran’s “National Internet” Project: Doomed to Fail.

The National Internet aka Intranet

Iran has rolled out the start of the “National Internet” Project for all Iranian citizens to “enjoy”. According to Tasnim news agency, the national internet operates independently of all others networks (in other words, the Internet we all know and love)and is designed to operate domestically.

The national internet was started in 2005(delayed by increased costs and delays)and the final two phases are due to be completed by 2017. The second phase will add cutting-edge content such as videos. Expect that in February 2017. The third and final phase will include among other things, services for Iranian business with international services. Err…

Filternet: it’s all over

The previous attempt by the Iranian regime known as the “filternet” or the “smart web” (designed to limit access to the evil parts of the existing internet), has failed miserably because it is easy for Iranians to use proxy servers or VPN connections to get around the “filters” put in place by the regime.  

Mahmoud Vaezi: filternet was all his fault


Iran‘s Communications and Information Technology minister Mahmoud Vaezi was behind the smart web filtering project, but he now says that the “filternet” is inefficient. So, he’s really saying it has not worked. And it’s all his fault. You can see here that Vaezi thought “filternet” was a great success, while hypocritically using foreign companies to help set it up. Confused? No doubt Vaezi will have to wipe the egg off his face when not only the “filternet” but also the national internet, fails to stop Iranians from accessing sites on the WWW.

Iran seems fine with the hypocrisy that use of a Californian company’s SmartFilter was used in the development of “filternet”…

Why bother?

To replace “filternet”, the national internet is deliberately meant to create an isolated domestic intranet for Islamic content and also attempt to improve cyber security (by not exposing Iranians to the evil Western Internet).

Well, Iran’s president Hassan Rouhani thinks it will magically strengthen the independence of the country. At a meeting of the Supreme Council of Cyberspace, according to the Iranian Republic News Agency (IRNA), Rouhani said that Iranian independence is increased by “not relying on external information networks for internal communications in today’s world”.

Hassan Rouhani: backing the National Internet

Rouhani vainly tries to convince Iranians (no one is falling for it), that they will play a more active role in furthering Iran’s role in the world if Iranians get access to a, “national, trustworthy, stable, high-quality and secure network” (cyber security in Iran is a bit of a hot topic in a post-Stuxnet world).

What this really means is that Iranians are meant to only be able to access content that is delivered from within Iran, with all servers being based in Iran.

Don’t panic

Like the failure of the existing “filternet”, the “National Internet” will NOT be able to control Iranian access to the wider, “unclean” Internet. Why not? Well, if filters can be easily bypassed, so can this. If Iran cannot control use of Telegram for example (Telegram has no servers in Iran), does she really think control can be made otherwise? 

Less computer-literate people may not normally be able to access sites such as Facebook, Twitter, Flickr, YouTube, etc. but such sites can still be accessible using means such as described above.

  

Iranian Cyber Police Arrest Three Telegram Channel Administrators

The Iranian Students News Agency (ISNA) reported on August 9 that the Cyber Police of Iran (FATA) have arrested some Telegram administrators.

According to FATA’s legal and international deputy, Hossein Ramazani, “Recently, the cyber police were informed of four Telegram channels that published insulting materials against religious topics. After liaison with Judiciary officials, measures were taken immediately to identify and arrest these people”.

On August 9, Ramazani continued, “The cyber police detectives found out that the administrators of these channels were in Iran. The four channels were immediately blocked, and the main administrator of the channels and one of his aides were arrested yesterday”.

Colonel Hossein Ramazani stated that three people were responsible for updating the Telegram channels and that the arrested administrators were from a city in Northern Iran.

FATA say that the administrators had published “blasphemous” pictures and materials against religious sacred things and leaders by using Photoshop or other editing softwares.

Cyber Police corruption

While it is possible that such blasphemy was committed, it is equally (and perhaps more so) likely that FATA had been monitoring accounts it previous gained access to (see my previous article here)and perhaps planted such blasphemy themselves to then use as evidence in the arrests? It would not be beyond them as they try in vain to control the youth of Iran. 

It is thankful that Telegram do not host their servers in Iran and my fellow Iranians can still use Telegram, much to FATA’s frustration. It is best to enable 2FA (Two factor authentication) for Telegram, and to have private, not public channels where possible which will help defeat FATA. Also, do not always trust who you are speaking with in channels: they may well be FATA…

  

Iran’s “Rocket Kitten” Group Claim Compromise of Iranian Telegram Accounts

Following on from my article here about the Iranian Cyber Police asking Iranians to stop using Telegram, it appears that the Iranian hacking group known as Rocket Kitten is behind a compromise of 15 million Telegram accounts used by Iranians.
 
Telegram is a very popular messaging app in Iran and almost 25% of the Iranian population are using the app every day.

Iranian authorities have previously demanded that Telegram provide them with “spying and censorship tools”. Telegram ignored the request and was blocked in Iran for around two hours on October 20 2015. Telegram does not have any servers in Iran, making the Iranian regime’s job harder to try and censor Telegram. This compares to the regime “banning” Twitter and Facebook, even though Iranians can use Tor or anonymous VPNs to get around the Iranian Internet filters…

Rocket Kitten

Rocket Kitten refers to a cyber threat group that has been attacking various organizations, such as members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents.
Rocket Kitten has launched two known campaigns: a malware campaign that uses the GHOLE malware, and a targeted attack called “Operation Woolen-GoldFish” which is probably run by the Iranian regime. Rocket Kitten’s attacks were similar to ones attributed to the Iran’s Revolutionary Guards Corp (IRGC). You can read more about Rocket Kitten here


Telegram attack

Rocket Kitten managed to obtain public information and phone numbers from 15 million Iranian users of the Telegram messaging app, as well as the associated Telegram user IDs. They compromised over 12 Telegram accounts and jeopardized the communications of people including activists and journalists in sensitive positions within Iran.

Telegram responded by saying, “Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed.”

Importantly, Telegram have since changed their API so that similar mass checks on accounts should no longer be possible: Telegram 1, Iranian Regime 0!

The Telegram vulnerability involved sending authorization codes via SMS text messages to activate new devices and these could be intercepted by the phone company. So, this means a Man In The Middle (MITM) attack capability by a country that has access to telecommunications networks. This further implicates Rocket Kitten as being part of the Iranian regime.


A word from the Iranian Cyber Police

The Cyber Police of Iran (FATA) have transparently tried to un-link the association between Rocket Kitten and the Iranian government by blaming Telegram’s “weakness”. No one believes them…


The legal and international deputy of the Cyber Police, Colonel Hossein Ramazani, said that the hackers did not get access to personal details of victims and that, “What is clear to us is the vulnerability and weakness which always existed in the service because of its text message confirmation system, through which [hackers] have gained access to the users’ phone numbers. Then contents of people’s chats and personal details, however, have not been compromised” Well, he obviously is not going to admit the regime did it, is he?

Use 2FA!

Telegram supports the use of Two-Factor Authentication (2FA), but is not enabled by default. That means users of Telegram should setup 2FA if they have not already done so, to prevent interception of SMS-verification codes via cellular networks (even if Telegram claim the mass lookup interception loophole is fixed). Perhaps Telegram should start enabling 2FA by default!

  

Iran’s Cyber Police futile request for Iranians to stop using Telegram


The leader of Iran’s Cyber Police (FATA) , Brigadier-General Kamal Hadianfar has asked Iranian citizens to stop using the secure messaging application Telegram immediately!

Hadianfar says Iranians should stop using Telegram due to “security” reasons; what he really means is that FATA cannot control Telegram because servers are not hosted in Iran! Hadianfar said that, “People expressed concern over the usage presence of Telegram messaging app“. Presumably he means that FATA and the wider Iranian regime are more concerned! As an Iranian ex-patriate or as a citizen still living in Iran, I doubt I would find any Iranian citizen who would agree with Hadianfar.

Citizens may be perhaps more concerned that Telegram was written and is supported by the Russian Durov brothers and one may say (if paranoid) that perhaps the Russian state could be behind Telegram? Russia is *allegedly* helping Iranian cyber efforts anyway, so perhaps this is a disinformation campaign by FATA to actually encourage Iranians to keep using Telegram?! Perhaps I am giving too much credence to FATA; in reality they cannot control Iranians from using Telegram any more that Iran’s filternet stopped Iranians from accessing certain content on the Internet.

Brigadier-General Kamal Hadianfar looking concerned


The Brigadier-General, the man with the finger on the pulse of all things Iranian cyber in nature, went on to say that, “Foreigners take advantage of the information uploaded on this server. In fact, the main Telegram admin does not have a serious determination to confront social, cultural and moral crimes”.

Perhaps this says it all: FATA are having real problems trying to control the digital youth of Iran.


  

Zero Days: Film about Nitro Zeus & Stuxnet


 

Zero Days is a new film about investigations of the world’s first cyber weapon known as Stuxnet and Operation Olympic Games. Stuxnet is malicious software that can obscure and harm critical data. The film talks about another even more powerful cyber weapon, known as Nitro Zeus.

Stuxnet

Stuxnet is a malicious cyber worm, possibly of US and Israeli origin, It targeted the Iranian nuclear facilities at Natanz to make it look like a number of accidents.

Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes e.g.control machinery on factory assembly lines, or centrifuges for separating nuclear material.

Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet compromised Iranian PLCs, collecting information on industrial systems and causing the centrifuges to be destroyed.

Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in automobile or power plants), the majority of which reside in Europe, Japan and the US.Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.


Operation Olympic Games

Operation Olympic Games was a covert and campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities by the United States and maybe also by Israel.

Nitro Zeus

Nitro Zeus provided the NSA (National Security Agency) the ability to attack Iran’s command-and-control systems, which would obstruct the whole country’s communication capabilities.

The state-sponsored cyber hack would also disable Iranian air defenses, and harm financial systems as well as vital components of the power grid. This would allow US and Israeli aircraft to survey the area without being shot down.

The operation was in place as a second option just in case diplomacy and negotiations did not go smoothly. The cyber program was never actually used.

Film

The Zero Days trailer can be found at the official site here