UNITED24 - Make a charitable donation in support of Ukraine!


IRGC’s Guard Cyber Defense Command (GCDC)

The IRGC’s Guard Cyber Defense Command (GCDC) includes a special department called the Center for Inspecting Organized Crimes (CIOC). The CIOC focuses on ensuring the regime’s vision of cyber security. The CIOC’s official website is called Gerdab (www.gerdab.ir), which is a Farsi word meaning whirlpool. The IRGC’s CIOC has openly admitted that it would forcefully suppress anyone seeking to carry out “cultural operations” against the Islamic Republic via the Internet and that it monitors Persian-language sites for what it deems to be aberrations.

The CIOC has taken an active role in identifying and arresting protesters involved in the 2009 post-election unrest, particularly those individuals active in cyber space.

The IRGC’s CIOC uses extensive methods to identify Internet users, including through an identification of their Internet Protocol (IP) addresses. The Iranian regime has identified and arrested many bloggers and activists through the use of advanced monitoring systems, and the CIOC inspects forwarded emails to identify those critical of the regime. The IRGC's cyber police focus on filtering websites in Iran, monitoring the email and online activity of individuals on a watch list, and observing the content of Internet traffic and information posted on web blogs. Individuals on the watch list included known political opponents and reformists, among others. Individuals arrested by the IRGC have been subjected to severe mental and physical abuse in a ward of Evin Prison controlled by the IRGC.

The Department of the Treasury previously designated the IRGC in June 2011 under E.O. 13553 and in October 2007 under E.O. 13382 “Blocking Property of Weapons of Mass Destruction Proliferators and Their Supporters.” On 23 April 2012 President Obama announced an Executive Order, “Blocking the Property and Suspending Entry into the United States of Certain Persons with Respect to Grave Human Rights Abuses by the Governments of Iran and Syria Via Information Technology” (“the GHRAVITY E.O.” or the “Order”). The Order targets, among others, persons determined to have operated, or to have directed the operation of, information and communications technology that facilitates computer or network disruption, monitoring or tracking that could assist in or enable human rights abuses by or on behalf of the Government of Syria or the Government of Iran. Pursuant to this order sanctions were imposed on the Syrian General Intelligence Directorate (GID), the GID’s Director Ali Mamluk, Iran’s Ministry of Intelligence and Security (MOIS), Iran’s Islamic Revolutionary Guard Corps (IRGC), Iran’s Law Enforcement Forces (LEF), the Iranian Internet service provider Datak Telecom, and the Syrian communication firm Syriatel.

The GHRAVITY E.O. sends a clear message that the United States condemns the continuing campaigns of violence and human rights abuses against the people of Syria and Iran by their governments and provides a tool to hold accountable those who assist in or enable such abuses through the use of information and communications technology.

Government organizations, including the Basij “Cyber Council,” the Cyber Police, and the Cyber Army, which observers presumed to be controlled by the IRGC, monitored, identified, and countered alleged cyberthreats to national security. These organizations especially targeted citizens’ activities on officially banned social networking websites such as Telegram, Facebook, Twitter, YouTube, and Flickr, and they reportedly harassed persons who criticized the government or raised sensitive social problems.

Minister of information and communications technology Mahmoud Vaezi announced in 2017 that the government had improved methods to control the internet and had shut down a number of online platforms. The government’s decade-long project to build a National Information Network (NIN) resulted in its launch in 2016. The NIN enabled officials to allow higher speed and easier access on domestic traffic, while limiting international internet traffic. RSF reported that the NIN acted like an intranet system, with full content control and user identification. Authorities may disconnect this network from global internet content, and they reportedly intended to use it to provide government propaganda and disrupt circumvention tools. During nationwide protests in December 2017, authorities used NIN technology to cut off access to the global internet for 30 minutes.

Iran uses cyber operations as a low-cost tool of statecraft, and will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations. The use of cyber attacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks. However, Iran is testing more aggressive cyber attacks that pose growing threats to the United States and US partners.

Iran will continue working to penetrate US and Allied networks for espionage and to position itself for potential future cyber attacks, although its intelligence services primarily focus on Middle Eastern adversaries — especially Saudi Arabia and Israel. Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran’s recent restraint from conducting cyber attacks on the United States or Western allies. Iran’s cyber attacks against Saudi Arabia in late 2016 and early 2017 involved data deletion on dozens of networks across government and the private sector.

The Iranian regime, under the supervision and guidance of the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), has employed new cyberwarfare and tactics in a desperate attempt to counter the growing dissent inside the country, in particular the nationwide uprising that erupted in late December 2017. NCRI-US reveals information about the regime’s new wave of cyber repression, and key players involved. A domestic mobile apps marketplace modeled after Google Play, is supervised by the IRGC to distribute spyware-enabled apps. IRGC front companies are developing spyware-enabled apps for cyber-surveillance and repression. Ironically, some of these apps are available on Google Play, Apple Store, and GitHub, potentially exposing millions of users worldwide to the regime’s spyware and surveillance.

The messaging app Telegram is actively being used by 40 million Iranians and was crucial in the spreading of information during the recent wave of anti Iranian regime protests. However, as the book details, the Iranian Revolutionary National Guard has spread alternative messaging apps installed with malware into the app marketplace. The National Guard then uses these apps to track and combat the spread of rebellious information.The regime's extreme effort on the cyber front underscores the need for free internet within Iran and its essentiality in spreading a successful anti-theocratic protest.

On 24 March 2016, a grand jury in the Southern District of New York indicted seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, on computer hacking charges related to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS) attacks.

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26, launched DDoS attacks against 46 victims, primarily in the U.S financial sector, between late 2011 and mid-2013. The attacks disabled victim bank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers. In addition, Firoozi is charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013.

The indictment was announced today by Attorney General Loretta E. Lynch, Director James B. Comey of the FBI, Assistant Attorney General for National Security John P. Carlin and U.S. Attorney Preet Bharara of the Southern District of New York. “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,” said Attorney General Lynch. “Through the work of our National Security Division, the FBI, and U.S. Attorney’s Offices around the country, we will continue to pursue national security cyber threats through the use of all available tools, including public criminal charges. And as today’s unsealing makes clear, individuals who engage in computer hacking will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.”

The DDoS campaign began in approximately December 2011, and the attacks occurred only sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, between Tuesday and Thursdays during normal business hours in the United States. On certain days during the campaign, victim computer servers were hit with as much as 140 gigabits of data per second and hundreds of thousands of customers were cut off from online access to their bank accounts.

Fathi, Firoozi and Shokohi were responsible for ITSEC’s portion of the DDoS campaign against the U.S. financial sector and are charged with one count of conspiracy to commit and aid and abet computer hacking. Fathi was the leader of ITSEC and was responsible for supervising and coordinating ITSEC’s portion of the DDoS campaign, along with managing computer intrusion and cyberattack projects being conducted for the government of Iran. Firoozi was the network manager at ITSEC and, in that role, procured and managed computer servers that were used to coordinate and direct ITSEC’s portion of the DDoS campaign. Shokohi is a computer hacker who helped build the botnet used by ITSEC to carry out its portion of the DDoS campaign and created malware used to direct the botnet to engage in those attacks. During the time that he worked in support of the DDoS campaign, Shokohi received credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran.

Ahmadzadegan, Ghaffarinia, Keissar and Saedi were responsible for managing the botnet used in MERSAD’s portion of the campaign, and are also charged with one count of conspiracy to commit and aid and abet computer hacking. Ahmadzadegan was a co-founder of MERSAD and was responsible for managing the botnet used in MERSAD’s portion of the DDoS campaign. He was also associated with Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (ADST), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012.

Ahmadzadegan has also provided training to Iranian intelligence personnel. Ghaffarinia was a co-founder of MERSAD and created malicious computer code used to compromise computer servers and build MERSAD’s botnet. Ghaffarinia was also associated with Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the United States, the United Kingdom and Israel. Keissar procured computer servers used by MERSAD to access and manipulate MERSAD’s botnet, and also performed preliminary testing of the same botnet prior to its use in MERSAD’s portion of the DDoS campaign. Saedi was an employee of MERSAD and a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks. Saedi wrote computer scripts used to locate vulnerable servers to build the MERSAD botnet used in its portion of the DDoS campaign.

Between Aug. 28, 2013, and Sept. 18, 2013, Firoozi repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam, and is charged with one substantive count of obtaining and aiding and abetting computer hacking. This unauthorized access allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates. Although that access would normally have permitted Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, Firoozi did not have that capability because the sluice gate had been manually disconnected for maintenance at the time of the intrusion.

On 18 July 2017, OFAC designated the Ajily Software Procurement Group as a significant transnational criminal organization (TCO) pursuant to E.O. 13581, “Blocking Property of Transnational Criminal Organizations.” The Ajily Software Procurement Group, based in Iran, uses hackers to steal engineering software programs from the United States and other western countries. Some of this software was sold to Iranian military and government entities, which are unable to acquire it overtly because of U.S. export controls and sanctions. The hackers use computer servers located in multiple western countries to carry out their thefts. The Ajily Software Procurement Group is the eighth TCO targeted under E.O. 13581.

OFAC designated Iranian national Mohammed Saeed Ajily for acting or purporting to act for or on behalf of, directly or indirectly, the Ajily Software Procurement Group. Mohammed Saeed Ajily is an Iranian businessman who directs Ajily Software Procurement Group hackers to steal specific software programs. Once the software is illegally acquired, Ajily uses multiple companies to market and sell the stolen computer programs in Iran. Some of this software, which is export controlled given its use in the design of rockets and GPS-guided weaponry, was sold to Iranian military and government entities. Ajily also procured specialized software for Malek Ashtar University of Technology, which was designated pursuant to E.O. 13382 on July 12, 2012 and is one of the major research institutes contained under the MODAFL umbrella.

OFAC designated Iranian national Mohammed Reza Rezakhah for acting or purporting to act for or on behalf of, directly or indirectly, the Ajily Software Procurement Group. Mohammed Reza Rezakhah is a computer hacker who steals software programs from western countries and cracks software protections, at the direction of Ajily, in order for the Ajily Software Procurement Group to sell the stolen technology, including to Iranian military and government entities.

On 23 March 2018, in a coordinated action with the U.S. Department of Justice, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated one Iranian entity and 10 Iranian individuals under Executive Order (E.O.) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” as amended. The entity and individuals designated today engaged in the theft of valuable intellectual property and data from hundreds of U.S. and third-country universities and a media company for private financial gain.

“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data,” said Treasury Under Secretary Sigal Mandelker. “We will not tolerate the theft of U.S. intellectual property, or intrusions into our research institutions and universities. Treasury will continue to systematically use our sanctions authorities to shine a light on the Iranian regime’s malicious cyber practices, and hold it accountable for criminal cyber-attacks.” As a result of this action, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.

The 23 March action designated one Iranian entity and 10 Iranian nationals pursuant to E.O. 13694, as amended, which targets malicious cyber activities, including those related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain.

The Mabna Institute is an Iran-based company that engaged in the theft of personal identifiers and economic resources for private financial gain. The organization was founded in or about 2013 to assist Iranian universities and scientific and research organizations in obtaining access to non-Iranian scientific resources. The Mabna Institute also contracted with Iranian governmental and private entities to conduct hacking activities on its behalf.

Initially, the cyber criminals used an elaborate spearphishing campaign to target the e-mail accounts and computer systems of their victims, which in addition to the universities included nearly 50 domestic and foreign private-sector companies, the states of Hawaii and Indiana, and the United Nations.

According to the indictments, the hackers stole more than 30 terabytes of academic data and intellectual property—roughly three times the amount of data contained in the print collection of the Library of Congress.“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said a special agent who investigated the case from the FBI’s New York Division. “That information included access to library databases, white papers, journals, research, and electronic books. All that information and intellectual property was provided to the Iranian government,” he added.

The Mabna Institute conducted massive, coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States-based universities, in addition to at least 176 universities located in 21 foreign countries: Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, the Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom. The exfiltrated data and stolen login credentials acquired through these malicious cyber-enabled activities were used for the benefit of Iran’s Islamic Revolutionary Guard Corps (IRGC), and were also sold within Iran through at least two websites. The stolen login credentials belonging to university professors were used to directly access online university library systems.

Mabna Institute targeted more than 100,000 accounts of professors around the world and successfully compromised approximately 8,000 of those accounts. The campaign continued through at least December 2017. Although it is difficult to calculate a dollar loss amount, through the course of the conspiracy, U.S.-based universities spent approximately $3.4 billion to procure and access data that the Iranians accessed for free because of their criminal activity.

Victim professors believed they were dealing with colleagues who had expressed an interest in academic articles. The e-mails tricked many of the professors to click on links that recorded their keystrokes when they signed into what they thought were their secure university domains but were actually bogus sites controlled by the hackers. The Iranians targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields.

In addition to targeting universities, the hackers gained access to employee e-mail accounts at nearly 50 private companies around the world—the majority of them U.S. firms. Among the U.S.-based victims were academic publishers, media and entertainment companies, technology companies, and investment firms. During that same period in 2016, the hackers also began conducting intrusions against various U.S. federal agencies and other organizations such as the United Nations.

This brute force technique involves collecting lists of names and e-mail accounts through open-source Internet searches and then guessing the users’ passwords, betting that some users never changed default company passwords or used common ones such as “password123.” Password spraying is such an unsophisticated technique that it can go undetected by company security networks. “They were flying under the radar,” said the cyber agent who investigated the case, “and the magnitude of their effort was remarkable.”

The tactic worked, providing hackers access to victims’ entire e-mail accounts. Now, in addition to academic data, the hackers were accessing companies’ trade secrets and sensitive U.S. government information.

OFAC also designated nine Iran-based individuals who were leaders, contractors, associates, hackers for hire, and affiliates of the Mabna Institute for engaging in malicious cyber-enabled activities related to the significant misappropriation of economic resources or personal identifiers for private financial gain.

  1. Gholamreza Rafatnejad (Rafatnejad) was a founding member of the Mabna Institute and organized the Mabna Institute hacking campaign.
  2. Ehsan Mohammadi (Mohammadi) was also a founding member of the Mabna Institute. Along with Rafatnejad,Mohammadi also helped organize Mabna’s university hacking campaign and received from others compromised account credentials belonging to university professors.
  3. Seyed Ali Mirkarimi (Mirkarimi) was a hacker and Mabna Institute contractor. Mirkarimi engaged in a variety of phases of Mabna’s university hacking campaign, including the crafting and testing of malicious, spearphishing emails and organizing of stolen credentials.
  4. Mostafa Sadeghi (Sadeghi) was a hacker and affiliate of the Mabna Institute. Sadeghi compromised more than 1,000 university professor accounts. Sadeghi exchanged credentials for compromised professor accounts with other Mabna-affiliated actors. Sadeghi was also involved in the operation of, and maintained a financial interest in, one of the websites selling access to the stolen university data.
  5. Sajjad Tahmasebi (Tahmasebi) was a Mabna Institute contractor. He helped facilitate the spearphishing campaign targeting universities by, among other things, conducting online network surveillance of victim university computer systems and maintaining lists of credentials stolen from victim professors.
  6. Abdollah Karima (Karima) was a businessman who owned and operated a company that sold, through a website, access to stolen academic materials obtained through computer intrusions.Karima contracted with the Mabna Institute to direct hackingactivities. Mabna affiliates regularly provided compromised university professor login credentials to Karima.
  7. Abuzar Gohari Moqadam (Gohari Moqadam) was a professor and affiliate of the Mabna Institute. Gohari Moqadamexchanged stolen credentials for compromised accounts with Mabna Institute founders Rafatnejad and Mohammadi.
  8. Roozbeh Sabahi (Sabahi) was a contractor for the Mabna Institute. Roozbeh Sabahi assisted in the execution of the various Mabna hacking activities, including its university campaign by, among other things, organizing stolen credentials obtained by Mabna Institute hackers.
  9. Mohammed Reza Sabahi (Sabahi) was a Mabna Institute contractor. Sabahi assisted in the carrying out of Mabna’sspearphishing campaign targeting universities. Among his activities, Mohammed Reza Sabahi created targeting lists of university professors and catalogued academic databases at targeted universities.

In addition to the designations above related to the activities of the Mabna Institute, OFAC designated an additional Iranian national pursuant to E.O. 13694, as amended, for engaging in significant malicious cyber-enabled misappropriation of economic resources, personal identifiers, and financial information for private financial gain for activities targeting a U.S. media company.

Behzad Mesri (Mesri) compromised multiple user accounts belonging to a U.S. media and entertainment company in order to repeatedly gain unauthorized access to the company’s computer servers and steal valuable stolen data including confidential and proprietary information, financial documents, and employee contact information. Mesri then engaged in anattempt to extort the victim company for $6 million. Mesri is the subject of an indictment announced by the U.S. District Court for the Southern District of New York on November 21, 2017.

A January 2018 report of the Carnegie Endowment for International Peace indicates that “Iran’s offensive cyber activities are almost exclusively overseen by the IRGC” (with little prospect of oversight of elected officials) and “composed of a scattered set of independent contractors who mix security work, criminal fraud, and more banal software development”. The report notes that “[w]hile the relationships between proxies and governments can range from passive support to complete control, Iran’s indigenous threat actors maintain an arm’s-length relationship to the state, with certain operations orchestrated to meet the needs of the government”. (Carnegie Endowment for International Peace, 4 January 2018, p. 17)

The same source goes on to provide details on the nature of cyber operations conducted by Iranian groups against foreign and domestic targets over the past years: “After successfully suppressing the 2009 Green Movement and first detecting the Stuxnet attack in 2010, Iranian threat actors conducted sustained campaigns against domestic and foreign adversaries. These indigenous operations appear to be performed by small groups of individuals that have varying levels of technology experience with no more than ten people per team. These campaigns and the resources produced by the groups range from rudimentary to relatively professional, but most actors still face a low capacity ceiling. […]

"Iranian threat actors conduct campaigns with established toolkits that sometimes last for years and ensnare hundreds of targets. However, the fluid nature and decentralization of these groups make them relatively difficult to track. Malware that is publicly attributed to Tehran is often abandoned immediately on exposure, and identifiable members appear to change groups over time. Some groups seem to split up, have members move elsewhere, or even collaborate, further blurring lines. For example, while an IRGC-affiliated group labeled Rocket Kitten was the most active operator for a two-year period (2014–2016), attracting press attention as Iran’s premiere threat, it has since faded into quiescence, eclipsed by the actor Oilrig.

"Despite their substantial financial impact, Tehran’s disruptive operations against foreign targets have been technically simple. The compromise of a small number of IT personnel enabled the destruction of data on computers maintained by Saudi Aramco, eventually resulting in hundreds of millions of dollars in damage. In only a few campaigns have Iranian threat actors shown the professionalism and sophistication approaching that expected of a nation-state actor; in one such case, the operation could be tied directly to the Ministry of Intelligence […]

"While sophistication alone can be a superficial metric of posed threat, Iranian operations do not demonstrate the common technical precautions taken by other nation-state actors (such as obfuscating malware), and, even with strong social engineering capabilities, attacks are often betrayed by a lack of investment in nontechnical resources (such as fluency in English or personal tailoring of messages). These resource constraints also account for why Iranians are more effective at compromising dissidents—Iranian threat actors understand their target’s context and language, as opposed to when they are tasked with European languages or other cultures. […]

"It is often difficult to determine the origins and perpetrators of Iranian offensive cyber operations, as these campaigns may disappear as quickly as they appear. Public exposure often leads them to change tactics and abandon tools, making tracking even more difficult. The history of cyber operations targeting Iranians and originating from Iran is populated by groups that arise out of nowhere and conduct campaigns for ambiguous reasons over a finite time span, then disappear.” (Carnegie Endowment for International Peace, 4 January 2018, pp. 17-22)

Join the GlobalSecurity.org mailing list

Page last modified: 24-07-2019 19:20:29 ZULU