Few Iranian dissidents were surprised when hackers performed denial of service (DDoS) attacks against American banks, apparently at the behest of the Iranian government in retaliation for US sanctions. The same techniques, and perhaps even the same infrastructure, had been used against them for years to suppress information during critical moments. The day before the March 2012 Iranian parliamentary elections, employees of the BBC were unable to access their email owing to a DDoS attack attributed to Iran. Persian-language media had come to expect that elections and protests would be met with DDoS attacks and website defacements. Unlike American banks, there was little they could do then to respond other than turn off their sites to avoid costly bills from their web hosts.The government singling you out for surveillance might be a warning that it is the time to leave—and in our experience, hacking attempts are often taken as a signal to not travel back home. Notification can be a life or death issue.
Knowing that someone is attempting to hack you is half the battle. For dissidents in oppressive regimes, government hacking can be consequential. We encountered at least two cases where Iranian state-sponsored hackers compromised individuals in the weeks prior to their arrest by security forces. The government singling you out for surveillance might be a warning that it is the time to leave—and in our experience, hacking attempts are often taken as a signal to not travel back home. Notification can be a life or death issue.Similarly, as the Associated Press has documented, while Russian hackers targeted foreign journalists and domestic opponents of President Vladimir Putin, nearly none of those interviewed were provided notice by law enforcement or others about threats to their safety. This seems to be standard: in May 2014, the FBI published the names of fifty-six fictitious social network profiles that were used in a complicated Iranian scheme to spy on government officials and the defense sector, also covered in a report by the iSIGHT (now FireEye). In the notice, provided to a closed list of companies and government entities, the FBI disclosed a larger network than iSIGHT: at least sixteen of which were clearly Persian names (such as “Mehdi Rastegar”) —identities that would not be useful for targeting the defense industry.We have found that security researchers rarely notify victims
Neither governments nor the cybersecurity community have taken enough responsibility for protecting these users, exacerbating the disparity of opportunities. While forced dependency on commercial platforms and proprietary software is not desirable, advocates have few other options to defend themselves against state-backed hacking. Companies such as Google and Facebook are best positioned to protect users because they have built the resources and infrastructure, and hired security engineers to monitor and respond to threats. Until such time as the ideals of a truly safe and resilient Internet is realized, those with the resources and expertise have a heightened responsibility to be better stewards of user security. Companies and researchers must engage civil society as peers within a collaborative environment and place more value on the protection of such communities, including four core principles:Human rights defenders are far too often relegated to the margins
Invest: Tech and security companies should continue to invest in protecting users who are threatened by hacking and disruptive attacks from governments and criminal groups. While options for protecting accounts and devices have improved in recent years, important companies lag behind their competitors. There should not be an economic barrier to staying secure. Not every dissident can afford the latest devices from Silicon Valley and are often denied access to American services due to economic sanctions or other political issues.
Engage: Tech companies should maintain collaborative relationships with organizations and groups that understand the context that they operate within. Information should be shared with those communities in both directions when it can help the public be more resilient against attacks. Companies that provide information security and protective products should consider providing voluntary efforts or pro bono services to individuals and organizations targeted by attacks.
Notify: Those singled out by governments should be provided notice by platforms and security researchers when targeted or compromised. Where notification is currently provided, it is usually limited to a simple warning that “state-sponsored hackers had targeted their accounts.” This messaging does not provide information that would help the user to understand who had targeted them and provide further assistance.
Remedy: Where a company or a cyber security researcher encounters attacks against at-risk communities, they should act swiftly to address and end those threats. Researchers are often posed with a strategic question about whether to shut down an operation (at the risk of attackers adapting techniques) or passively continuing to observe their attacks. We are concerned that dissidents are treated as expendable compared to commercial infrastructure. We believe the apparent position of Google that all malware should be shut down regardless of its targets is a commendable position, and should be an industry standard. Researchers should operate under the principle that it is their responsibility to end threats and remedy harm wherever possible.