Sitting in the archives of the cybersecurity service VirusTotal is an artifact of a piece of malware sent in late 2012 to the Iranian journalist Vahid Pour Ostad. Pour Ostad’s history is emblematic of many prominent journalists of his generation. After a brief period of relative openness that allowed a vibrant press to flourish at the turn of the century, hardline elements of the Iranian government responded to these changes by prosecuting journalists and closing newspapers. Pour Ostad paid a high cost for his critical investigations of the country’s legal system: he was arrested multiple times, fired from newspapers, and ultimately forced to leave Iran.
The malware in question was sent by a Ministry of Intelligence agent that had interrogated Pour Ostad, attached as a threat and leveraging private records that would have been available only to someone collaborating with the government. By that time, Pour Ostad had enough experience with spearphishing attempts to recognize the attack. What Pour Ostad was unaware of was that the same actors attempting to hack him were implicated in a broad campaign of surveillance of dissidents and perceived foreign adversaries.
For several years, we have conducted research on targeted attacks against civil society and activists in Iran and elsewhere. From these experiences, one lesson in particular stands outs: human rights defenders and journalists are a canary in the coal mine for the attacks used to steal military secrets, coerce perceived foreign adversaries, and undermine critical infrastructure. Despite this chilling predicament, those at-risk populations are afforded substantially less opportunities to protect themselves and are often relegated to the margins of conversations about cyber security. This inequity is to the detriment of everyone, and must change if we want to improve the Internet for all communities.
The Ministry of Intelligence affiliated group behind the attack against Pour Ostad, labelled “Magic Kitten” by the cyber security company CrowdStrike, has targeted both dissidents and perceived foreign adversaries of Iran for over a decade. Unlike most operators from the country, the group had spent a respectable amount of effort to hide their operations—relying on a network of compromised sites to conceal its communications with a shadowy network within Iran. In our own forensic investigation, we find indication that Magic Kitten had compromised computers in at least Germany, Indonesia, Iran, Iraq, Lebanon, the Netherlands, Palestine, Pakistan, Qatar, Sweden, Switzerland, Thailand, and the United Arab Emirates—a window into an extensive campaign of espionage. While little had been published on Magic Kitten, in part owing to their secrecy, based on technical indicators, we were able to tie the group to CrowdStrike’s description and an operation dubbed SILVERBOLT in an NSA presentation disclosed by Edward Snowden. While the NSA repurposed Magic Kitten’s operations to spy on those they compromised and watch the groups’ movements, it did not appear to inform individuals like Pour Ostad about the threats posed by Iranian hacking.
While most reports from the cyber security community focus on attacks on the private sector, nearly every known Iranian-origin hacking operation has targeted dissidents with the same tools and tactics at the same time.
Nearly one year after we begun tracking it, in May 2016 Palo Alto Networks disclosed a malware operation named Infy that had targeted the US government and other foreign interests. Unbeknownst to Palo Alto Networks, Infy had targeted Iranian bloggers in the diaspora since at least 2011 and was one of multiple groups that had attempted to hack activists in the lead up to the country’s 2013 Presidential election. Driven by Iranian domestic politics, Infy resurfaced once again to stalk women who were registering female candidates for February 2016 parliamentary election. When we sinkholed traffic from the Infy malware, redirecting its communications to our servers by taking advantage of a design mistake by the attackers, we found an operation that had compromised Saudi oil companies, ethnic minorities in Iran’s border regions, armed opposition groups, and Persian-language journalists in Europe.
The government singling you out for surveillance might be a warning that it is the time to leave—and in our experience, hacking attempts are often taken as a signal to not travel back home. Notification can be a life or death issue.
Few Iranian dissidents were surprised when hackers performed denial of service (DDoS) attacks against American banks, apparently at the behest of the Iranian government in retaliation for US sanctions. The same techniques, and perhaps even the same infrastructure, had been used against them for years to suppress information during critical moments. The day before the March 2012 Iranian parliamentary elections, employees of the BBC were unable to access their email owing to a DDoS attack attributed to Iran. Persian-language media had come to expect that elections and protests would be met with DDoS attacks and website defacements. Unlike American banks, there was little they could do then to respond other than turn off their sites to avoid costly bills from their web hosts.
The blurred lines are not limited to Iranian hacking efforts. Elsewhere, over the past year, Egyptian human rights defenders and Qatar-focused labor rights activists have been repeatedly targeted by credential theft campaigns seemingly conducted by hackers-for-hire based out of India. The same actors targeting Middle Eastern civil society had also attempted to spearphish Emirati diplomats and Saudi national security officials in the weeks immediately preceding a Gulf region crisis partially triggered by hacking. This overlap has been present from the outset of efforts by governments to use the hacking in pursuit of their strategic interests. One of the earliest reports on Chinese cyber espionage efforts, the GhostNet report published by the Citizen Lab and SecDev Group, found within a set of victims that included embassies, banks, and military institutions were also Tibetan dissidents, news media, and NGOs.
Many cyber security researchers and public discussions focus on countries where governments are constantly seeking to stifle dissent and exert general control over the public debate. For these governments, political opponents, human rights advocates, and independent media therefore constitute one of the primary targets, and the intelligence gathering tools usually used to spy on perceived foreign adversaries or transnational criminal networks will be often be concomitantly turned inward to monitor their own population.
We have found that security researchers rarely notify victims
Knowing that someone is attempting to hack you is half the battle. For dissidents in oppressive regimes, government hacking can be consequential. We encountered at least two cases where Iranian state-sponsored hackers compromised individuals in the weeks prior to their arrest by security forces. The government singling you out for surveillance might be a warning that it is the time to leave—and in our experience, hacking attempts are often taken as a signal to not travel back home. Notification can be a life or death issue.
Similarly, as the Associated Press has documented, while Russian hackers targeted foreign journalists and domestic opponents of President Vladimir Putin, nearly none of those interviewed were provided notice by law enforcement or others about threats to their safety. This seems to be standard: in May 2014, the FBI published the names of fifty-six fictitious social network profiles that were used in a complicated Iranian scheme to spy on government officials and the defense sector, also covered in a report by the iSIGHT (now FireEye). In the notice, provided to a closed list of companies and government entities, the FBI disclosed a larger network than iSIGHT: at least sixteen of which were clearly Persian names (such as “Mehdi Rastegar”) —identities that would not be useful for targeting the defense industry.
Indeed, the campaign had another focus—those same accounts had also been used to compromise an American involved in the international Baha’i religious community—a religious minority that faces systematic patterns of persecution by the Iranian authorities. The names and indicators provided by the FBI gave companies the opportunity to tell whether they had been targeted by Iranian state-sponsored actors. At a minimum, this information can motivate targets to improve their defenses. The Baha’i community was never provided this chance.
Only Google and Facebook regularly notify their users of attempts against their accounts by government hackers, and these cryptic warnings leave much to be desired. In our own work with at-risk communities, we have found that security researchers rarely notify victims, despite commonly obtaining similar information about targeting. Once again, the private sector is favored over the public—provided significantly more opportunity to protect itself than individuals, despite even more chilling potential harms.
Human rights defenders are far too often relegated to the margins
Neither governments nor the cybersecurity community have taken enough responsibility for protecting these users, exacerbating the disparity of opportunities. While forced dependency on commercial platforms and proprietary software is not desirable, advocates have few other options to defend themselves against state-backed hacking. Companies such as Google and Facebook are best positioned to protect users because they have built the resources and infrastructure, and hired security engineers to monitor and respond to threats. Until such time as the ideals of a truly safe and resilient Internet is realized, those with the resources and expertise have a heightened responsibility to be better stewards of user security. Companies and researchers must engage civil society as peers within a collaborative environment and place more value on the protection of such communities, including four core principles:
Invest: Tech and security companies should continue to invest in protecting users who are threatened by hacking and disruptive attacks from governments and criminal groups. While options for protecting accounts and devices have improved in recent years, important companies lag behind their competitors. There should not be an economic barrier to staying secure. Not every dissident can afford the latest devices from Silicon Valley and are often denied access to American services due to economic sanctions or other political issues.
Engage: Tech companies should maintain collaborative relationships with organizations and groups that understand the context that they operate within. Information should be shared with those communities in both directions when it can help the public be more resilient against attacks. Companies that provide information security and protective products should consider providing voluntary efforts or pro bono services to individuals and organizations targeted by attacks.
Notify: Those singled out by governments should be provided notice by platforms and security researchers when targeted or compromised. Where notification is currently provided, it is usually limited to a simple warning that “state-sponsored hackers had targeted their accounts.” This messaging does not provide information that would help the user to understand who had targeted them and provide further assistance.
Remedy: Where a company or a cyber security researcher encounters attacks against at-risk communities, they should act swiftly to address and end those threats. Researchers are often posed with a strategic question about whether to shut down an operation (at the risk of attackers adapting techniques) or passively continuing to observe their attacks. We are concerned that dissidents are treated as expendable compared to commercial infrastructure. We believe the apparent position of Google that all malware should be shut down regardless of its targets is a commendable position, and should be an industry standard. Researchers should operate under the principle that it is their responsibility to end threats and remedy harm wherever possible.
As the history of cyber operations in the Middle East, China, and elsewhere demonstrates, an attack against a women’s rights advocate today foreshadows those used against a European aviation firm tomorrow. However, human rights defenders are far too often relegated to the margins—not given access to critical information to protect themselves against attacks. While progress has been made in providing more resources to activists, these efforts are inconsistent and inadequate. Cooperation on cybersecurity and attempts to address systemic insecurities must consider the needs of at-risk communities as a fundamental value. Activists aren’t merely the early indicator to be used, they should be understood as co-equal partners in the global conversation on how to protect the integrity and security of the Internet.