Late last year, a group of hackers likely linked to the Iranian government reorganized the infrastructure supporting their cyberattacks. The hackers built it so their malware, which was infecting Iranian human rights activists and dissidents at home and abroad, would contact different servers under their control.
At that point, Collin Anderson and Claudio Guarnieri, two independent researchers who had been tracking Iranian hackers for three years already, saw an opportunity. So they registered a series of domains linked to the hacker's infrastructure and waited.
For the next six months, whenever an Iranian human rights activists got hacked, the malware would send his or her information back to the hackers—and, at the same time, the two researchers as well.
"They never noticed that we were completely monitoring the whole thing for several months," says Guarnieri, who is a technologist at Amnesty International and a fellow at Citizen Lab.
"They never noticed that we were completely monitoring the whole thing for several months."
The two weren't just able to gather information about the victims though. When the hackers started testing new strains of malware on themselves, they sent sent their own data to their command and control servers, and to Anderson and Guarnieri's servers.
That way, the two were able to keep tabs on the hackers themselves collecting their computer names, IP addresses, unique identifiers of the computers, "and all this kind of stuff," the two tell me, laughing coyly, during an interview in Las Vegas.
Last week, Anderson, an independent security researcher, and Guarnieri released a 50-page research paper exposing three years of Iranian hacking campaigns, during which they tracked more than 300 individual cyberattacks on activists.
Their research shows that despite the frequent media portrayals of Iranian hackers focused on hacking foreign governments, companies and critical infrastructure, the hackers are more worried about spying on Iranian citizens both inside the country as well as in the diaspora, the researchers said.
"They're owning a lot," Guarnieri says, noting that the hackers' techniques aren't exactly sophisticated, but they are effective. And "they're progressing quite fast," which is "a sign that perhaps things will even get worse in the near future."
For example, the two showed an old phishing attempt sent to an Iranian activist. The email was sloppy, and easily raised red flags at the eyes of anyone with a little training in spotting malware attacks. The email was purported to be sent by a "CIA Secure Program!" and invited the recipient to install an ".exe" file to send anonymous tips to the spy agency.
Three years later, the phishing attacks don't purport to come from the CIA, but immigration authorities, and try to leverage the fact that many Iranians abroad are on a visa and often have immigration paperwork to worry about. They also look more professional, and thus, more believable.
In their paper, which is just a part of a larger research project that will be published later this year by the Washington D.C. think tank Carnegie Endowment for International Peace, Anderson and Guarnieri detail the activities of four different Iranian hacking groups, dubbed Infy, Cleaver or Ghambar, Rocket Kitten and Sima.
Their work isn't just an unprecedented deep look at the activities of Iranian hackers against civil society, which builds and expands on previous research, but it's also a testament that you don't need to run an antivirus company that has access to thousands of computers worldwide to get your hands on malware.
The way Anderson and Guarnieri did it was by developing a relationship with the communities targeted by the hackers.
"We don't leverage large datasets, we don't have access to big data cloud—whatever." Guarnieri says. "But we have access to a resource that probably no security company has, which is networks of people."
"We have access to a resource that probably no security company has, which is networks of people."
The two grew these networks by working directly with dissidents and reaching out to those communities. Anderson, for example, has become the go-to expert when it comes to Iranian internet issues. The Washington, D.C.-based researcher echoed Guarnieri's thoughts, saying that "having those trusted relationships with those communities has allowed us to sort of create our own versions of those monitoring systems."
Over the years, the two have become the go-to people for Iranians who have received suspicious emails, although it's not always easy to build trust. Once, Anderson recalls, a friend of a friend put him in touch with someone who had received a potentially dangerous email. Initially, the target didn't believe him.
"I said, 'hey, you don't know me but you've been compromised,'" Anderson says. "Sometimes they don't believe me so in a couple of cases I had to be like, 'well, here are some files from your computer.'"
After three years of meticulous and behind-the-scenes malware-gathering, the two decided to come out publicly this summer, after the security firm Palo Alto exposed the group the researchers had infiltrated in early May.
That's when the security firm redirected traffic going to the hackers' botnet to servers it controlled, disrupting their operations, during the Iranian holiday weekend. When the hackers came back from their days off, they started freaking out, according to Anderson and Guarnieri, who witnessed how the group started frantically checking all servers to see what had happened.
At that point, the two agreed, it was time to come out publicly. Exposing their tactics, they argued, not only helps potential victims be more careful, but it also hinders the hackers' future operations.
"If we don't do anything we're not gonna stop them," Guarnieri says. "Publishing is also not going to stop them, but it creates a sort of economic tension between the cost that's been invested in creating and maintaining these campaigns and the publishing of it."
Yet, despite uncovering around 300 cases of attacks, the two admit that this is probably just the "tip of the iceberg," and they called on the security industry to come forward and help collect more cases and share malware samples.
"The communities that we deal with are completely left helpless, they're not customers of anybody, they're not technically supported by anybody," Guarnieri says. "It's just too hard to do it ourselves alone."