Global backlash over Iran’s cyber battle against protesters

Iranian students protest at the University of Tehran on December 30, 2017. (AFP)
Updated 09 January 2018

Global backlash over Iran’s cyber battle against protesters

LONDON: The Iranian government may be rethinking its battle against online dissent after a global backlash against moves to curb the use of social media tools such as Telegram.
It follows fresh comments made by President Hassan Rouhani on Monday stating that he did not want to “permanently” restrict access to social media.
His remarks contradict earlier decisions made in December to block the picture-sharing app Instagram and the encrypted messaging app Telegram due to the belief they were fueling the protests that broke out on the streets of the country last month.
It follows widespread criticism of the move to curb access to social media tools used by the protesters.
Speaking to ministers on Monday, Rouhani said: “People’s access to cyberspace should not be cut permanently; one cannot be indifferent to people’s lives and businesses.
“Every technology can be abused by some; we cannot block the technology and the benefits that people are taking from it,” he added in comments published on the president’s official website.
Iran has had a strong grip over social media for many years, with Facebook and Twitter technically banned since 2009. However, many people have still managed to find a way to access the sites and even Rouhani opened his own Facebook page in 2013.
Holly Dagres, a former US State Department analyst who now runs The Iranist website, said: “The Iranian government tends to slow the Internet in times of big protests like 2009 and this past week’s protests. They also have censored Twitter, Facebook, and YouTube. But that hasn’t stopped Iranians from using circumvention tools like VPNs to override the censorship. Iranians are professionals when it comes to circumvention, and though the government attempted to curb social media coverage of the protests, it hasn’t stopped Iranians from sharing information with the world.”
The messaging service Telegram has become one of the most popular social media tools in Iran in recent years, with an estimated 40 million Iranians using the product. Users can message each other via private and public channels.
The decision to block the app was due to Telegram’s refusal to shut down certain channels being used by protesters, according to a statement by the company’s CEO Pavel Durov on Dec. 31. He said at the time that it wasn’t clear whether the block was a permanent or temporary move.
The Iranian minister tweeted Durov late last month, accusing the channel of “encouraging hateful conduct.”
In his official statement, Durov countered such accusations, stating: “We are proud that Telegram is used by thousands of massive opposition channels all over the world. We consider freedom of speech an undeniable human right, and would rather get blocked in a country by its authorities than limit peaceful expression of alternative opinions.”
The messaging app did, however, suspend a public channel called @amadnews which it said had broken rules set out by Telegram which bans people using the app from making calls for violence.
The account had called for subscribers to use “molotov cocktails and firearms against police.”
According to Durov, the administrators for the channel apologized for breaking the rules and a “new peaceful channel” has been reinstated.
It may be too early to say if Rouhani’s comments signal a significant shift in Iran’s stance on social media, with no official confirmation that Telegram has been unblocked. Instagram has reportedly now been unblocked.
Instagram and Telegram did not reply to requests by Arab News for comment.
However some analysts see his remarks as an attempt to distance himself from more hard-line elements in the regime.
“The comments show that ​President Rouhani wants to create​ a clear distance between ​himself and his conservative critic​s, using the protests as a unique opportunity to pivot himself away from being the demonstrators’ target to becoming their champion for reform,” Ali Valez, the Washington-based director of the Iran Project, told Arab News.
There are also signs that pro-government supporters are starting to harness the power of social media in order to promote their own agenda.
One strategy being employed is the creation of Twitter bots which generate automatic content and followers. A BBC report published on Jan. 7 found that these accounts were being used to undermine tweets made by protesters, such as denying that a demonstration had taken place.
There are also continued reports of Iran’s clampdown on anti-government protests. More than 40 Iranian students have been arrested between Dec. 30 and Jan. 4, 2018, according to the Center for Human Rights in Iran.
According to a BBC report on Monday, a 22-year-old man arrested during the protests has died in a prison in Tehran.


Hackers acting in Turkey’s interests believed to be behind recent cyberattacks

Updated 6 min 21 sec ago

Hackers acting in Turkey’s interests believed to be behind recent cyberattacks

  • The attacks involve intercepting Internet traffic to victim websites
  • Intelligence suggests the attacks bear the hallmarks of Turkish interests

LONDON: Sweeping cyberattacks targeting governments and other organizations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, three senior Western security officials said.
The hackers have attacked at least 30 organizations, including government ministries, embassies and security services as well as companies and other groups, according to a Reuters review of public Internet records. Victims have included Cypriot and Greek government email services and the Iraqi government’s national security adviser, the records show.
The attacks involve intercepting Internet traffic to victim websites, potentially enabling hackers to obtain illicit access to the networks of government bodies and other organizations.
According to two British officials and one US official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.
The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.
The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.
Turkey’s Interior Ministry declined to comment. A senior Turkish official did not respond directly to questions about the campaign but said Turkey was itself frequently a victim of cyber attacks.
The Cypriot government said in a statement that the “relevant agencies were immediately aware of the attacks and moved to contain” them. “We will not comment on specifics for reasons of national security,” it added.
Officials in Athens said they had no evidence the Greek government email system was compromised. The Iraqi government did not respond to requests for comment.
The Cypriot, Greek and Iraqi attacks identified by Reuters all occurred in late 2018 or early 2019, according to the public Internet records. The broader series of attacks is ongoing, according to the officials as well as private cybersecurity investigators.
A spokeswoman for the UK’s National Cyber Security Center, which is part of the GCHQ signals intelligence agency, declined to comment on who was behind the attacks. In the United States, the Office of the Director of National Intelligence declined to comment on who was behind the attacks and the Federal Bureau of Investigation did not respond to a request for comment.

Hijacked
The attacks highlight a weakness in a core pillar of online infrastructure that can leave victims exposed to attacks that happen outside their own networks, making them difficult to detect and defend against, cybersecurity specialists said.
The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the Internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.
By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.
Reuters reviewed public DNS records, which showed when website traffic was redirected to servers identified by private cybersecurity firms as being controlled by the hackers. All of the victims identified by Reuters had traffic to their websites hijacked — often traffic visiting login portals for email services, cloud storage servers and online networks — according to the records and cybersecurity experts who have studied the attacks.
The attacks have been occurring since at least early 2018, the records show.
While small-scale DNS attacks are relatively common, the scale of these attacks has alarmed Western intelligence agencies, said the three officials and two other US intelligence officials. The officials said they believed the attacks were unrelated to a campaign using a similar attack method uncovered in late 2018.
As part of these attacks, hackers successfully breached some organizations that control top-level domains, which are the suffixes that appear at the end of web addresses immediately after the dot symbol, said James Shank, a researcher at US cybersecurity firm Team Cymru, which notified some of the victims.

Victims
Victims also included Albanian state intelligence, according to the public Internet records. Albanian state intelligence had hundreds of usernames and passwords compromised as a result of the attacks, according to one of the private cybersecurity investigators, who was familiar with the intercepted web traffic.
The Albanian State Information Service said the attacks were on non-classified infrastructure, which does not store or process any “any information classified as ‘state secret’ of any level.”
Civilian organizations in Turkey have also been attacked, the records show, including a Turkish chapter of the Freemasons, which conservative Turkish media has said is linked to US-based Muslim cleric Fethullah Gulen accused by Ankara of masterminding a failed coup attempt in 2016.
The Great Liberal Lodge of Turkey said there were no records of cyber attacks against the hijacked domains identified by Reuters and that there had been “no data exfiltration.”
“Thanks to precautions, attacks against the sites are not possible,” a spokesman said, adding that the cleric has no affiliation with the organization.
The cleric has publicly denied masterminding the attempted coup, saying “it’s not possible,” and has said he is always against coups.
A spokesman for Gulen said Gulen was not involved in the coup attempt and has repeatedly condemned it and its perpetrators. Gulen has never been associated with the Freemason organization, the spokesman added.