Protesters against the Iranian regime are getting a boost to help their efforts from hacking groups that use Telegram, Signal and the dark web to circumvent government restrictions.
“The main activities are the leaking and selling of data, including phone numbers and emails of officials, as well as maps of sensitive locations. CPR sees the sharing of open VPN servers to circumvent censorship and state of the Internet reporting in Iran, as well as the hacking of conversations and guides,” according to a blog post by Check Point Research (CPR), which shared five examples of counter-protester activity.
The Telegram groups, according to the researchers, have between 900 and 1,200 members, some of whom offer a proxy list and a VPN to circumvent Iranian government censorship while another group helps protesters access social media.
The CPR noted the activities the day after protests began following the death of Mahsa Amini. “Specifically, hacker groups allow Iranians to communicate with each other, share news and what’s happening in different places, which the government is trying to avoid, to bring down the flames,” the CPR said. “As usual with these uprisings, there are hacking groups trying to take advantage of the situation and sell information about Iran and the regime.”
The researchers specifically called the channel Official Atlas Intelligence Group, a 900-member group that uses Telegram to leak and sell data. They “focus on leaking data that can help against the regime in Iran, including phone numbers and emails of officials and maps of sensitive locations,” PCR said, as well as “upselling “private information about the Iranian Revolutionary Guard Corps (RGC). They also offer a list of proxies to help protesters circumvent censorship in Iran.
The 5,000-strong Arvin Group also uses the messaging platform to leak and sell data. It focuses on “news from protests in Iran, reports and videos from the streets where protests are taking place in Iran,” CPR said. They also provide Open VPN services and report on the state of the internet in the country.
Red Blue is another group with 4,000 members and also uses Telegram to hack “conversations and guides, part of the hide01.ir hacking website, which is operated by Iranians, about hacking computers and software “, said CPR. “Some of the conversations are about circumventing censorship and helping people living in Iran to access social media sites.”
The 12,000-member Tor group, part of the Tor Project, uses Telegram and the Tor webpage to send messages to the community “focusing on how Tor can help protesters in Iran.” .
Signal, too, “decided to join the effort and support the protests in Iran, helping others set up proxy servers that can be used to circumvent censorship in Iran,” noted Researchers.
The CPR began to see “these groups emerge about a day after the protests began, allowing Iranians to communicate with each other as well as share news and what is happening elsewhere.
“Iran’s telecommunications sector is almost entirely state-owned, so it’s no surprise that anti-government groups like this are trying to use tools like Telegram to avoid state censorship,” he said. said Chris Vaughan, Vice President of Technical Account Management, EMEA. and South Asia, in Tanium. “These apps help people get unbiased information inside and outside the country, so I expect app stores may also be targeted in an effort to control communications. It is It is likely that the Iranian government will also block VPNs to restrict this flow of information and disrupt protesters trying to communicate with each other.
Vaughan noted that “the Iranian government has been limiting and monitoring mobile internet access for several days now and has blocked the download of several messaging apps, including Telegram.”
Russia, China and other countries also use such blocking tactics “to control dissent, so we expect Iran to use some of the same tactics,” he said. “It will be more difficult to block messages if people use satellite communications; however, these are harder to find. Nevertheless, some anti-government hackers will try to help people connect this way.
Vaughan expects the Iranian government to “spread disinformation campaigns, as we have seen in other countries”, pointing out that it launched a media war against protesters in 2019 and took control of Internet.
“This time the protests have been going on for several days, but hacking groups outside the country are already trying to help protesters organize and share unbiased information about what the government is doing,” he said. he declared. “It could lead to longer disruptions than what we’ve seen before.”
Michael DeBolt, director of intelligence at Intel 471, said his researchers observed members of all major hacking groups on Telegram “sharing proxies and methods to circumvent internet censorship. Chats have also been used to share information about venues or events and different types of information related to events.
He denounced a notable trend: “The posting of videos of demonstrations and attempts to collectively reveal the identity of soldiers and officers who participated in violent repressions against demonstrators”.
Intel 471 “observed actor 3ackd0or and others posting such information. Many notable hacker group chats changed their names to ‘OpIran’ and were used to share information about the protests,” DeBolt said. . “The most common cyberattacks observed were denial of service attacks.”
DeBolt found it interesting that “more ‘traditional’ or older hacker groups in Iran, such as Bax 026 and Ashiyane, are siding with the regime and aligning themselves with the regime’s agenda, while more and more groups actively target the regime itself and aid opposition and anti-regime protesters.