Iran's Soft-War for Internet Dominance

Presented at Black Hat USA 2016, Aug. 4, 2016, 2:30 p.m. (50 minutes)

Over the past decade, the Islamic Republic of Iran has been targeted by continual intrusion campaigns from foreign actors that sought access to the country's nuclear facilities, economic infrastructure, military apparatus, and governmental institutions for the purpose of espionage and coercive diplomacy. Similarly, since the propagandic defacements of international communications platforms and political dissident sites conducted by an organization describing itself as the "Iranian Cyber Army" beginning in late 2009, Iranian actors have been attributed to a recurrent campaigns of intrusions and disruptions of private companies, foreign government entities, domestic opposition, regional adversaries and international critics. The intent of the CNO activities is not always discernable based on the tactics used or the data accessed, as the end implications of the disclosure of particular information is often distant and concealed. Where such intent is made evident, the reasons for Iranian intrusion campaigns range from retaliatory campaigns against adversaries, as a result of identifiable grievances, to surveillance of domestic opposition in support of the Islamic Republic establishment. Iranian intrusion campaigns have also reflected an interest in internal security operations against active political movements that have historically advocated for the secession of ethnic minority provinces or overthrow of the political establishment through violence. However, Iranian intrusion sets appear to be primarily interested in a broader field of challenges to the political and religious hegemony of the Islamic Republic. Previous reports on Iranian campaigns have referred to the targeting of Iranian dissident. However, in practice those targeted range from reformists operating within the establishment from inside of Iran to former political prisoners forced out of the country.

Across the records of hundreds of intrusion attempts of campaigns conducted by a distinct sets of actors, distinct patterns emerge in the types of individuals and organizations targeted by Iranian actors by internal security operations: high-profile individuals and organizations, such as journalists, human rights advocates or political figures, with extensive relationships and networks inside of Iran; members of the diplomatic establishment of Iran, and former governmental officials under previous administrations; adherents to non-Shia religions, participants in ethnic rights movements, or members of anti-Islamic Republic political organization; academics or public policy organizations critical of the Iranian government; cultural figures that promote values contrary to the interpretation of Islamic values promoted by the establishment; organizations fostering international collaboration and connections with the current Iranian administration; and international organizations conducting political programmes focused on Iran through funding by governmental agencies. In this presentation we will analyze in depth the results of several years of research and investigation on the intrusion activities of Iranian threat actors, particularly engaged in attacks against members of civil society.


  • Collin Anderson - \
    Collin Anderson is a Washington D.C.-based researcher focused on measurement and control on the Internet, including network ownership and access restrictions, with an emphasis on countries that restrict the free flow of information. These efforts have focused on monitoring the international sale of censorship equipment, identifying harm in disputes between network operators, exploring alternative means of communications that bypass normal channels of control, and applying open data to shed new light on increasingly sophisticated restrictions by repressive governments.
  • Claudio Guarnieri / nex - \   as Claudio Guarnieri
    Claudio Guarnieri is a security researcher mostly specialized in the analysis of malware, botnets and computer attacks in general. He's a core member of The Honeynet Project as a research fellow at the Citizen Lab, University of Toronto. He created the open source malware analysis software Cuckoo Sandbox and Viper and runs the Malwr free service. He published abundant research on botnets and targeted attacks and presented at conferences such as Hack In The Box, BlackHat, Chaos Communication Congress and many more. In recent years he devoted his attention especially to issues of privacy and surveillance and published numerous articles on surveillance vendors such as FinFisher and HackingTeam with the Citizen Lab as well as on NSA/GCHQ and Five Eyes surveillance capabilities with The Intercept and Der Spiegel. He has been selected among the 50 persons of the year 2014 by Wired Italy, he received with the Citizen Lab the EFF Pioneer Award 2015, and has been selected by Forbes among the 30 Under 30 honorees for 2016. He continuously researches and writes on government surveillance and threats to journalists and dissidents worldwide and supports human rights organisations with operational security and emergency response.


Similar Presentations: