On Tuesday, for instance, Reuters reported upon the operations of a hacking group known as CopyKittens, which is apparently based in Iran and has been engaged in attempted attacks that have been recorded at least up until April of this year. The Reuters report quoted IT security researchers as saying, “CopyKittens is very persistent, despite lacking technological sophistication and operational discipline.” Those researchers added that the simply tactic employed by this and other groups have occasionally been found to be effective, using directly-targeted individuals as hubs from which it can infect various other persons who potentially have access to sensitive information of interest to the Iranian government.
Some of the researchers quoted in the Reuters report were willing to specifically identify CopyKittens as “Iranian government infrastructure.” But whether independent or a direct arm of the Iranian regime, the group is not the only one of its kind to be active in recent years. The Reuters report identifies another such organization by the name of Rocket Kitten and says it “has mounted cyberattacks on high-profile political and military figures in countries near Iran as well as the United States and Venezuela” since 2014.
Iran or Iran-based hackers have been implicated in a number of other cyberattacks on Western targets, as well, some of them being more sophisticated that the simple phishing attacks launched by the likes of CopyKittens. Last year, the US Justice Department indicted seven such hackers for targeting American banks and breaking into the computer system of a dam in New York State, in a failed attempt to disrupt its operations. Others have reportedly been implicated in attacks on Saudi Aramco in 2012 and the Las Vegas Sands casino in 2014, as well as being possibly linked to an attack on Sony that was primarily attributed to North Korea.
While these incidents speak to the offensive potential for information technology development under the current Iranian regime, other stories highlight the likelihood of that development being simultaneously directed against the Iranian people. Tehran has made a familiar habit of boasting about its cybersecurity capabilities. And even though these statements are often exaggerated, they clarify the regime’s commitment to cracking down on free expression via the internet and social media. Already, major social networking sites like Facebook and Twitter are banned outright in the Islamic Republic. And although young Iranians routinely circumvent these restrictions, the country’s censorship authorities have variously tried to suggest that more comprehensive restrictions are around the corner.
A key example of these claims has to do with the notion of an isolated national internet, sometimes referred to as “halalnet,” in which only government-approved content would be accessible. There is no independent evidence to suggest that the regime or its non-government affiliates have the capabilities to implement such a system, but this has not stopped government officials from talking about piecemeal steps in that direction.
An apparent example of this phenomenon emerged this past week when Iran’s Communications and Information Technology Minister Mahmoud Vaezi claimed that the popular instant messaging app Telegram would be soon be moving servers into the Islamic Republic, thereby giving the regime access to communications that were previously considered to be relatively secure.
This supposed security, including users’ ability to have communications automatically delete themselves after a set period of time, has helped to make Telegram enormously popular throughout Iran, and particularly among activists populations who use it to organized protests or to post criticisms that might otherwise be more likely to lead to arrest or harassment by the Ministry of Intelligence or the Iranian Revolutionary Guard Corps.
According to the Associated Press, Telegram CEO Pavel Durov has denied Vaezi’s claim about forthcoming Iranian servers. Iran’s internet authorities previously demanded just such a move, only to be publicly rejected by Durov. Furthermore, that demand was extended to all independent applications operating on the Iranian internet. Failure to keep Iran-based communications on local servers would lead to the government banning those services nationwide, according to officials. But as with Facebook and Twitter, it is expected that the regime lacks the capability to fully enforce such a ban.
In making its apparently false claim about local Telegram servers, the Communications Ministry may have been motivated by the desire to undermine the perceived security of the popular app, thereby encouraging a portion of the population to move away from it. But this is not to say that Telegram or any other such system is inherently safe. Dozens of administrators of popular Telegram groups were arrested in the run-up to Iranian presidential elections in May. And even following Durov’s denials about the server change, the Center for Human Rights in Iran continued to criticize his company over the possible use of content delivery networks inside the country, which could allow regime authorities to obstruct local material, albeit probably without the ability to decrypt it.
Of course, as the tech industry in Iran grows, so will the ability of the regime or its defenders to overcome the security features of independent applications and websites. But at the same time, the industry’s growth is largely being driven by a young population that is known for being pro-Western and pro-democracy, and thus eager to use their own know-how in order to counter ever-growing restrictions. In this sense, cybersecurity is sure to remain at least as much of a battleground within Iran as it is in between Iran and its foreign adversaries.