Introduction
During the next months leading up to Iran’s Presidential elections on 17 May, Iranians will see an increase in cyber espionage leveraged against their systems and accounts. This increase will especially target politically active citizens as well as prolific and politically vocal Iranian-Americans abroad. These attempts by Iran’s intelligence and security services will be designed to collect intelligence on perceived threats to the current ruling structures and political elites. Tactically, these operations will give Iran’s intelligence network the information and access they seek to disrupt the proliferation of views and actions it deems harmful to the outcome of the election results desired by Iran’s theocratic elites. The regime has already shown signs that it will achieve/attempt to access to social networking sites to both monitor and limit political speech. These attempts involve personal webmail accounts including Gmail and other email services as well as social networking platforms. Among these, Telegram, allegedly the most widely used in Iran, is the most notable.
Who is at risk?
Iran’s cyber espionage programs, like other programs it sponsors, fit into a broader, strategic pathway to achieve its desired end goals. Geopolitically, this translates into regional dominance, as Iran sees itself as the natural dominating force, politically, economically, and culturally, over the Gulf region. Internally, the regime wants to maintain internal stability to allow the current religious and political Shi’a structures to persist in their dominance over the internal political conversation and economic decisions. The motivation for the cyber activity discussed in this analysis is closely linked with Iran’s internal concerns and desired end state.
Iran’s targeted intrusion operations ahead of the elections will primarily affect Iranian citizens, dissidents, political opponents of the regime and activists. Iran’s Cyber Police (FATA) has already faced pressure from elites within the Supreme Leader’s circle over the past six months to maintain an adequate hold on internet communications leading up to the election. FATA monitors Iran’s social media space for hints of political criticism and unrest, and their monitoring has led to arrests and prosecutions of Iranians on the grounds of treason and inciting social unrest. The Iranian National Guard Corps will play a significant role in monitoring, exploiting, and exerting force over perceived threats to the theocratic establishment originating from the elections and related events.
Looking outside its borders, Iran’s ruling elite and its corresponding intelligence service, the IRGC, believe that Washington works tirelessly to undermine or bend Iran’s internal political affairs to its will. Iran views foreign non-governmental organizations, dissidents, and Iranian-American groups as outlets for U.S. influence and covert operations. Tehran suspects these organizations to be fronts owned or controlled by the U.S. government. They suspect that they will work to electoral outcomes or processes.
Due to the Trump Administration’s position on Iran following the Obama-brokered nuclear deal, Tehran is especially wary of political dissension and internal conflict. The new U.S. administration has not yet provided details of its foreign policy vis-a-vis Iran and the region. The few impressions and statements made thus far may prompt attempts to penetrate related U.S. information networks in order to gain insights into Washington’s views on and potential plans regarding the upcoming elections. The Iranian government may be even more sensitive to this due to the claims that Russian intelligence services attempted to influence the recent U.S. presidential election.
What will targeting look like?
Security researchers observed the first well-coordinated and widespread cyber espionage targeting against targets both within Iran and abroad following the 2009 Iranian elections in which Mahmoud Ahmadinejad took the Office of the Iranian President. In the wake of this election, Iran’s Green movement emerged. Central to the movement was the contention that the elections were fraudulent and that a less conservative candidate would have won had the theocratic establishment not rigged result in favor of Ahmadinejad. During this time, there was immense top-down pressure from the highest levels of the Supreme Leader and security/intelligence apparatus to use the information space to gain intelligence on and ultimately undermine the Green Movement, along with similar opposition movements. These circumstances enabled state-sponsored cyber actors to develop techniques to target and exploit the accounts and systems of politically active Iranians, as well as those believed to be aiding them abroad. The stratagems and structures developed at both the organizational and individual level during this period will likely continue to define Iranian cyber espionage tradecraft against indigenous targets into the foreseeable future.
In their publically available Iran Threats project, researchers Collin Anderson and Claudio Guarnieri carefully track intrusive cyber activity attributed to Iranian actors, particularly activity targeting journalists, dissidents, and political activists. They have documented continuous social network exploitation and device exploitation campaigns against political figures and organizations that had been vocal about the Iranian 2013 Presidential election as it approached. In some of these cases, Iranian actors spoofed media outlets and individuals associated with Iran’s more moderate and reformist-minded political coalitions in messages written in Farsi. These actors fitted the messages with Power Point slide attachments containing malicious software designed to compromise the targeted individuals’ machines. These messages were convincingly designed, and each message’s theme and subject matter was customized to blend into correspondence that the intended target might normally encounter.
Before the 2016 parliamentary elections, Anderson and Guarnieri tracked another set of reportedly Iranian actors engaged in a social media exploitation campaign via the Telegram platform. The group was able to gain a foothold in the social network of a group of politically active and regime critical individuals by compromising a single user and then using that access to pretend to send legitimate correspondence to their contacts. The group would send messages to the users’ contacts, prompting them to divulge one-time login codes to their accounts. These actors also attempted to remotely gain illegitimate access to Telegram’s servers, specifically seeking information on Telegram accounts registered with Iranian phone numbers.
More recently, Anderson and Guarnieri have observed Gmail security team-themed spear phishing messages as well, which proved successful in duping a number of individuals to divulge their credentials via a fake Gmail login page. Again, after compromising one account and exploiting the information, these actors moved through the user’s circle of contacts stored within the account, using the access to identify and target other connected individuals. Another series of messages sent to journalists and activists masqueraded as a human rights organizations (for example, United for Iran), boasting the development of a platform for monitored persons to securely communicate, complete with a link to a DropBox-hosted credential harvesting webpage. Within the last year, Iranian actors also demonstrated a mobile device remote exploitation capability by leveraging Android malware against the devices of journalists and dissidents outside of Iran.
Conclusion
Information exploited by Iran’s intelligence and security apparatus gains may be acted upon in a variety of ways to help ensure the elections run according to the will of the theocratic establishment. The information could expand Iranian intelligence services’ understanding of the networks of Iranian dissidents, political activists, those that provide them aid, as well as their methods of communication and operations. The information may also be leveraged to facilitate arrests of Iranian citizens engaging in movements or social networks of individuals judged by the IRGC or other services to be a threat to Iran’s political establishment and internal stability during the elections. Iran’s leadership is sensitive to heightened internal political tensions during elections and will attempt to suppress another Green Movement before it begins. Arrests of regime-critical Iranians already occur frequently, and information gained in a successful exploitation may enable continued arrests designed to stop instigators and make public examples.