Advertisement

SKIP ADVERTISEMENT

Iranian Hackers Found Way Into Encrypted Apps, Researchers Say

Reports reveal that hackers have been secretly gathering intelligence on opponents of the Iranian regime, breaking into cellphones and computers and outsmarting apps like Telegram.

Supporters of the Mujahedeen Khalq, or M.E.K., taking part in a rally in Washington in January. The dissident group is among the most prominent victims of the attacks.Credit...Jose Luis Magana/Associated Press

Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems — a capability Iran was not previously known to possess, according to two digital security reports released Friday.

The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports by Check Point Software Technologies, a cybersecurity technology firm, and the Miaan Group, a human rights organization that focuses on digital security in the Middle East.

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said.

A spokesman for Telegram said that the company was unaware of the Iranian hacker operation, but that “no service can prevent being imitated in ‘phishing’ attacks when someone convinces users to enter their credentials on a malicious website.” WhatsApp declined to comment.

The reports suggest significant advances in the competency of Iranian intelligence hackers. And they come amid warnings from Washington that Iran is using cybersabotage to try to influence American elections. Federal prosecutors on Wednesday identified two Iranian individuals they said had hacked into American computers and stolen data on behalf of Iran’s government and for financial gain.

“Iran’s behavior on the internet, from censorship to hacking, has become more aggressive than ever,” said Amir Rashidi, director of digital rights and security at Miaan and the researcher for its report.

According to the report by Check Point’s intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years.

Miaan traced the first the operation to February 2018 from a malicious email targeting a Sufi religious group in Iran after a violent confrontation between its members and Iranian security forces.

Image
Tehran in May. The hacking operation can also be used to spy on the general public inside Iran, according to the reports.Credit...Arash Khamooshi for The New York Times

It traced the malware used in that attack and further attacks in June 2020 to a private technology firm in Iran’s northeast city of Mashhad named Andromedaa. Miaan researchers determined that Andromedaa had a pattern of attacking activists, ethnic minority groups and separatist opposition groups but also had developed phishing and malware tools that could target the general public.

The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report.

Among the most prominent victims of the attacks, the reports said, are the Mujahedeen Khalq, or M.E.K., an insurgent group that the Iranian authorities regard as a terrorist organization; a group known as the Association of Families of Camp Ashraf and Liberty Residents; the Azerbaijan National Resistance organization; citizens of Iran’s restive Sistan and Balochistan Province; and Hrana, an Iranian human rights news agency. Human rights lawyers and journalists working for Voice of America have also been targeted, Miaan said.

According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets.

One of these is a Persian-language document titled “The Regime Fears the Spread of the Revolutionary Cannons.docx,” referring to the struggle between the government and the M.E.K., sent to members of that movement. Another document was disguised as a report widely awaited by human rights activists on a cybersecurity researcher.

These documents contained malware code that activated a number of spyware commands from an external server when the recipients opened them on their desktops or phones. According to the Check Point report, almost all of the targets have been organizations and opponents of the government who have left Iran and are now based in Europe. Miaan documented targets in the United States, Canada and Turkey as well as the European Union.

The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp.

Image
The Voice of America studios in Washington. Human rights lawyers and journalists working for the broadcaster have reportedly been targeted.Credit...Jason Andrew for The New York Times

In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps’ installation files.

These files, in turn, allow the attackers to make full use of the victims’ Telegram accounts. Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary. Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims’ names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims.

“This cutting-edge surveillance operation succeeded in going under the radar for at least six years,” said Lotem Finkelstein, head of threat intelligence at Check Point. “The group maintained a multi-platform, targeted attack, with both mobile, desktop and web attack vectors, that left no evasion path for victims on the target list.”

The attackers, Mr. Finkelstein said, “designed their cyberweapons to technically target instant messaging apps, even ones considered secured.”

Miaan experts said the Iranian company linked to the attackers, Andromedaa, has been mentioned in at least three previous reports linking them to stealing information through malware. The Miaan report said the attack tools in those cases suggested they were “designed, built and run by the same hacker(s).”

Mr. Rashidi, the Miaan researcher, attributed the success of the hackers partly to what he described as their social skills in creating deceptions that lured victims into a trap.

For example, one malware targeting dissidents in Sweden was designed as a Persian-language instructions tool for Iranians seeking Swedish driver’s licenses. Another application targeting ordinary Iranians promises to give users a larger exposure on social media apps like Instagram and Telegram.

Image
Students in Tehran protesting against the Iranian government in 2017. The hackers were apparently able to secretly monitor mobile applications often used to plan demonstrations.Credit...Associated Press

Mr. Finkelstein at Check Point said it was “highly possible” that the hackers were freelancers employed by Iranian intelligence, as has been true in previous Iranian hacking episodes. He also said the infrastructure of the operation led Check Point to conclude that the attacks are “administered by Iranian entities against regime dissidents.”

Babak Chalabi, the 37-year-old spokesman of the Azerbaijan National Resistance Organization, which promotes the rights of ethnic Turks in Iran, said his computer was hacked by this group in late 2018 when he received an email with a link and clicked on it.

Mr. Chalabi said he had done an interview with the Al Arabiya television channel about Iran’s cybersecurity and three days later he received an email from a person disguised as an Al Arabiya editor, informing him that the network had received complaints from Iran about his interview and asking him to look at the complaints through a link.

When Mr. Chalabi clicked on the link his computer was infiltrated, he said. He contacted Mr. Rashidi of Miaan. Mr. Rashidi reviewed his files and the email and confirmed this group of hackers was behind it.

Ronen Bergman is a staff writer for The New York Times Magazine, based in Tel Aviv. His latest book is “Rise and Kill First: The Secret History of Israel’s Targeted Assassinations,” published by Random House. More about Ronen Bergman

Farnaz Fassihi is a freelance reporter with the International Desk based in New York. Before contracting with the Times, she was a senior writer and war correspondent for the Wall Street Journal for 17 years based in the Middle East. More about Farnaz Fassihi

A version of this article appears in print on  , Section A, Page 12 of the New York edition with the headline: Iranian Hackers Broke Into Encrypted Apps, Reports Find. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT