TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: N/A
Countries: US, SB, IR, SY
Report Date: 20180104
Iranian Protests and Cyber Hacktivism
Wapack Labs analysts have been monitoring the recent demonstrations in Iran involving discontent toward the Islamic Republic seated in the aftermath of the 1979 Revolution. Iranian dissidents and activists took to the streets by the thousands, chanting slogans like “We don’t want an Islamic Republic” and “Death to the dictator”, as they tore down pictures of Supreme Leader Khamenei and set fire to the Governor’s office.
Protests began in the second most populous city in Iran, Mashhad, built centered on the Holy Shrine of Imam Reza, which remains a place for religious pilgrimage. By day two, the protests, with the help of the instant messaging service ‘Telegram’, gained momentum reaching the very western city of Kermanshah. As the Iranian government took steps to block media platforms like Instagram, Twitter, and Telegram, the third day of protests had already spread from the northern city of Tabriz to the southern port city of Bandar Abbas.
As demonstrations from around the country organized their way to Iran’s capital city of Tehran, loyalists of the Iranian government, including the Basij, a force of the Islamic Revolutionary Guard Corps, took action. The IRGC engaged in firing tear gas in Tehran University, disabling the Internet, sealing off exits at metro stations, and surreptitiously vandalizing properties to discredit the peaceful protests and spread anti-protest propaganda.
Social media platforms, Facebook and Twitter were instrumental in the post-2009 Iranian presidential election Green Movement - also known as the Persian Awakening - to mobilize the masses that were disenfranchised with the results. In doing so, Twitter became the target of a hacker group allegedly backed by the Iranian government, the Iranian Cyber Army, who following the Green Movement, used Twitter to target the Movement’s activists – even compromising Twitter’s DNS records. Until recent events, the Iranian government has managed to keep political activism under totalitarian control. The instant messaging service Telegram, which was the last to be banned by the government, has been extremely vital in the recent demonstrations across Iran. As of Monday, ProtonMail, an encryption enabled email application, was one of the legitimate communication channels still available to regular Iranian citizens.
Wapack analysts have been researching past and current activity of Iranian-backed cyber-espionage groups OilRig and Greenbug (Ref Wapack Labs PIR-18-003-001). The current climate in Iran may give way to another wave of Iranian cyber hacktivists targeting the anti-regime demonstrators. Wapack Lab continues to monitor the situation.