Intelligence: Those Sneaky And Clever Iranians


June 12, 2014: Iranian intelligence operations are increasing making use of the Internet to obtain information and in clever ways. One recently discovered Iranian operation, called Newcaster, made use of well-prepared phony journalists who gained the trust of low-level officials and then used that familiarity to target these people with email attachments containing secret software that enabled the Iranians to obtain information from the recipients computer.

This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals, with an attachment which, if opened, secretly installs a program that sends files from the email recipient's PC to the spear fisher's computer. In the past decade an increasing number of military, government, and contractor personnel have received these official looking emails, with a PDF document attached and asking for prompt attention. Despite being widely known, spear phishing still works and intelligence gathering organizations use it more and more. 

The Iranians created a phony news organization ( that contained “stories” that were plagiarized, with some judicial editing, from major news organization websites. This effort began in 2011 and eventually became too well known to have much success and was shut down. Iran never took credit for it, but an analysis of the known targets indicated the operator was probably Iran. 

For example, back in 2012 it was discovered that someone was targeting pro-Syrian rebel websites and individuals outside of Syria. The attack came in the form of phony email addressed to a specific individual and made to appear it was from another rebel sympathizer or activist that the recipient knew. There was a file attached which, when opened, secretly installed monitoring software. Thus the infected computer could be secretly monitored by the Syrian government and files, email, and even all keyboard activity quietly copied. Some of the victims were found to have had contact with “reporters” and that was one of the methods used to get rebel sympathizers and activists to open the email attachments that secretly infected their computers and permitted information to be secretly taken from that PC.  The 2012 spear phishing campaign against Syrian rebels was discovered to have been part of an Iranian intelligence effort in support of the Syrian government and was using Newscaster resources to help get into the PCs of key individuals. Analysis of the hacker software secretly planted on target PCs also showed a pattern that eventually led to the exposure of as being part of an intelligence operation.

Iran isn’t the only one, or even the first one to use these techniques. China has been particularly active in using this against pro-reform Chinese living outside of China. Other police states have also been found using these techniques. Another favorite Information War tactic is to shut down opposition web sites. This is usually done using a DDOS (distributed denial of service) attack. These are carried out by first using a computer virus (often delivered as an email attachment or via a game or an infected website), that installs a secret Trojan horse type program, that allows someone else to take over that computer remotely and turn it into a "zombie" for spamming, stealing, monitoring, or DDOS attacks to shut down another site. There are millions of zombie PCs out there and these can be rented, either for spamming or launching DDOS attacks. Anyone with about $100,000 in cash could carry out attacks. You can equip a web site to resist, or even brush off, a DDOS attack and some of those attacked were prepared. But others were not. Websites supporting the overthrow of dictators are increasingly being shut down, sometimes for weeks, by DDOS attacks or zombies that disable the site internally.

Syria was not known to have an extensive Cyber War capability and even in 2012 they were suspected of getting help from Iranian Cyber War experts. For a while it was believed that the Syrian government was largely relying on criminal (as in Internet based crime) gangs because these guys were for hire and were up-to-date on all the latest techniques. All you usually have to do in return is offer the gangs a safe haven. The gangs have to refrain from major operations against the country they are in but most of the targets are in the West (that's where most of the money is). Of course, no one will admit to this sort of thing. But criminal gangs working for the secret police is an ancient practice in these two countries, something that goes back centuries. None of the major Internet crime gangs are in Syria, which left Iran, or even Russia or China, as the supplier of Cyber War weapons and technology to Syria.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close