Tuesday, February 23, 2010
Report on the Operation of the Iran Cyber Army in Hacking Websites - payvand.com - 22 Feb 2010
During the past few months, the activities of Iran's Cyber Army have been noted by the Iranian and even the international media. The theory that these hacker groups are connected to the Iranian government was strengthened when, after several sites were hacked, they issued warnings to the Green Movement. The scope of the measures taken by the Cyber Army discredits the theory that a group of Ahmandinejad's admirers spontaneously carried out such acts. These messages and the nature of the sites chosen for attack indicate that there are hidden hands which support the Cyber Army.
A review of the political messages published by this group in recent months and the official statements of a government administrator of Iran's aviation industry in defense of the Cyber Army provide a reason for a closer examination of Iran's Cyber Army, research about which had heretofore claimed was composed of Russian hackers whose base was outside of Iran. But what is the Iranian Cyber Army and where is it based? Before considering these details, a few preliminaries are necessary.
Attack on Twitter
On the morning of Friday, 28 Azar 1388 [December 19, 2009], connections with the website Twitter was cut in some parts of the world and those who tried to access it were transferred to a message in English which read:
U.S.A. Think They Controlling and Managing Internet By Their Access, But They Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Attack on Baidu
On the morning of Tuesday, 22 Dey 1388 [January 12, 2010], the website Baidu, the largest Chinese search engine, was hacked. In a message on it, it was written: "The Iranian Cyber army has been launched in protest against intervention by foreign and Zionist sites in our country's domestic affairs and the spreading of lying and divisive news."
These measures concluded in a cyber war between Iran and China and groups of Chinese hackers, called the Honker Union for China, hacked official internet bases of the Iranian government, including the president's official website and that of the Leader.
Attack on Radio Zamaneh
On 10 Bahman 1388 [January 30, 2010], The Iranian Cyber Army hacked the website of Radio Zamaneh, changing its front page to a picture of the Islamic Republic of Iran's flag and the slogans "Ya Hosein (aleihum salam)" and "Persian Gulf", under which it was written,
If the Leader commands, we attack
If he asks, we sacrifice ourselves
If he wants us to be patient and steadfast
We will sit down and take it in stride.
On 23 Bahman 1388 [February 12, 2010], those who tried to access the site of Jaras News, which publishes news of the Green Movement, were faced with this message from the Iranian Cyber Army on its front page:
Out of respect for the referendum which was held on 22 Bahman [February 11, 2010] and the people who voted and out of respect for the great nation and country named Iran ... do not be a tool of those who live safe and sound in America and are using you as a tool.
A Prank on the Iranian Cyber Army
On 16 Bahman 1388 [February 5, 2010], the website Khodnevis, which is administered by Nikahang Kosar, wrote in the satirical column "False News":
In an amazing and unprecedented step, the Iranian Cyber Army hacked the Mehrabad Airport portal so that those who try to access this site, namely airport workers, are directed to the Raja Rail Company when they type in its URL. It is said that the attack occurred in the early hours of the night and continued into Saturday, facing the airport with a serious crisis. The sudden occurrence of dozens of air accidents in the skies over Tehran as a result of the tower's air traffic control communications systems' failure was considered the most important danger which followed this attack, threatening the capital of Iran. Although experts believe that this attack was done by mistake and the technical difficulties were fixed an hour later, the Iranian Cyber Army, after hacking the Mehrabad portal, placed a flag of the Islamic Republic of Iran with a blue color [instead of the green color, which is the at the top of the tricolored flag], along with a message reading, "The Iranian Cyber Army warns all mercenaries who would sell-out their country that they will not be safe even in the skies."
This satire, which was based on an altered version of part of the real message of the Iranian Cyber Army when it hacked Radio Zamaneh, was quickly reflected on Iranian news sites. A few hours later, the rumor spread of a mistaken attack by the Iranian Cyber Army on a government website became a means of ridiculing this group. Although a few hours later, these sites wiped this news from the various sites on which it had appeared, the rumor continued to spread, to the point that some large companies immediately signed multi-year contracts with internet security groups to strengthen the firewalls of their websites.
The Reaction of a Government Administrator
On 18 Bahman 1388 [February 7, 2010], only two days after this rumor spread, Morteza Dehqan, the acting manager of Tehran's Mehrabad Airport, in the process of denying the attack on this airport's site in the course of a discussion with a group of journalists, called it news blackmail, saying
When foreign agents failed to achieve their filthy ends after the elections, they tried to concoct a conspiracy based on an attack on Tehran's international airport in order to disrupt the country's security atmosphere, while no such attack occurred on the airport's website's portal and this news is a pure lie from start to finish. It is clear that the counter-revolutionary media has discovered the Iranian Cyber Army's power and, out of fear of its power, wishes to launch accusations through which it can divert public opinion.
Nikahang Kawsar, who had already stated on his site Khodnevis that this news was a rumor, now, after the publication of the interview with the acting administrator of Mehrabad Airport, wrote in part of his report about this event, " ... When Mehrabad Airport's acting administrator denied the report about the attack on that airport's website, he defended the Cyber Army's record, and we realized that our fake news had done its job. An official officer of the Islamic Republic defended the Cyber Army in such a way that it seems that this group is led by the [Islamic Republican] system."
On Iranian Hacker Groups
During the past eight years, many groups of hackers were formed in Iran of which the most famous are Ashianeh, Shabgard, and Simorgh. These groups freely attacked various websites by taking advantage of the lack of implementing the laws of punishment current in Iran, in order to win fame as well as out of rivalry with other groups.
Following the rise in reports about unpermitted infiltrations into Iranian government websites and the spread of news in this regard, intelligence agencies became interested in the power of hacking tools and began their widespread efforts to control and guide such attacks.
Security and intelligence organizations, inviting infiltration groups' cooperation, got them to identify and counteract opponents in the internet and form intelligence groups to control the flow of their information. Some time later, these people also taught hacking techniques to military technicians.
The Formation of the Iranian Cyber Army
The group Ashiyaneh was one of the first to join the circle of government infiltrators and set about wrecking the sites of the Islamic Republic's opponents with the cooperation of the best hackers. Reports of this group's activities were published in government media, such as Voice and Vision, Keyhan, and IRNA and were noticed very soon.
Teaching the Military to Hack
Alongside the hacker group activities, supposedly private companies were organized as well whose primary duty was to recruit infiltrating forces, instruct military forces in cyber attacks, and prepare the necessary resources for such attacks. These companies were charged with training infiltrators and carrying out hacking projects for the Iranian Cyber Army. In the meantime, these companies would import technology needed by Iran's security forces from Dubai. Among the managers of these companies is the son of one of the senior security officers who, utilizing his father's connections, has been busy for years working with the military and security forces. After the formation of a company through the military budget, he has been busy recruiting expert Iranian infiltrators and, having formed a professional and firm group, has begun to accept cyber control projects in Iran and infiltrators for the government.
How Group Members Are Chosen
The plan for the formation of an Iranian Cyber Army was raised in 1384  in the Revolutionary Guards, but with the increase in propaganda against the ninth government, its execution was sped up. A while later, a very broad group was formed, the number of whose members reached more greater than a few. The Cyber Army's unit for recruiting human resources works as follows: After recognizing a professional hacker, it contacts him and threatens him that if he does not cooperate, he will be sent off to prison.
Relationships and information of individuals are so controlled that even most of the group members are not yet aware of their collaboration with the Cyber Army. Considering the use of geniuses, the scientific level of the Cyber Army is very high, and considering the high record of activities of the infiltrators in Iran the power of this army in achieving its goal is comparable to similar groups which operate in the American and Israeli intelligence agencies. It is worth saying that the Center for Struggle with Organized Cyber Crime (the Sepah's cyber troops) is composed of the same people.
In Ordibehesht 1388 [May 2009], Fars news service reported that the foundation Defense Tech, which is an American military and security agency, called Iran one of the five countries with the most powerful cyber forces, based on figures received from the CIA. This foundation declared that the Iranian Cyber Army's budget is 76 million dollars, emphasizing that it is monitored by a group from the Revolutionary Guard's cyber supervision team.
A Short Time to Execute Instructions
Iran's Cyber Army has so far not been able to breach the servers of the websites it is after, but has contented itself with simply stealing their domains. This method indicates the temporal limitations of the group for executing its infiltration operations. In the past few months, they have carried out orders transmitted by their chief using methods which require less time. In their attack on Twitter, they hacked the computer of one of the members of this company with a Trojan horse and were able, by utilizing his email, to reset the domain of his control panel. This was similar to the attack of 1383 tried by one of the Iranian hacker groups on one of the NASA websites. In attacking Jaras and other websites, the Cyber Army uses the technique of DNS Cache Spoofing which changed the domain.