At Black Hat, researchers detailed cybergang efforts against Iranian dissidents
Collin Anderson and Claudio Guarnier on the stage at Black Hat.
Two independent cybersecurity researchers took the stage late on Thursday at Black Hat not to explain infosec vulnerabilities or to discuss hacking, but to diagram how they believe groups, possibly controlled by the Iranian government, are targeting dissidents in and outside of Iran.
Collin Anderson and Claudio Guarnier, who also is an Amnesty International technologist, spent several years investigating how each group functions and detailed how groups called Cleaver (also called Ghambar), Sima, Rocket Kitten and Infy, have over the last several years attacked a variety of dissidents using everything from website defacement to malware. The goal is to suppress anyone attempting to counter the Iranian regime.
The two also discussed the recent release of phone numbers of Iranians using the Telegram messaging app saying the act was not a hack, but an “excellent intelligence operation.”
The four groups singled out each bring a different skillset and capabilities to the battle. Anderson described Cleaver as using a rudimentary toolkit, which it is steadily improving, that it uses to hit Iranians living outside the country along with human rights activists. Its attacks run the gamut from simply damaging computer systems to delivering the Blue Screen of Death to its targets.
However, Cleaver's weaknesses include poorly worked social engineering messages which make it less effective.
This is corrected by Sima, which Guarnier described as having the best social engineering skills and an excellent command of English making its messages difficult to pick out. Sima has been used to target women and human rights activists, but luckily its back-end infrastructure is poor and frequently breaks down while delivering an attack.
Possibly the most effective of the bunch, according to the two, is Rocket Kitten. It has struck Iranian activist media groups living outside the country using Powershell to inject and execute code.
Rocket Kitten also may have been responsible for the Telegram attack. Anderson said 20 million of Iran's 80 million citizens use the service to send encrypted messages.
Anderson said in no uncertain words that Telegram was not hacked, but that Rocket Kitten managed to “abuse” the messaging app to discover the names.
Guarnier had some strong words for Telegram execs. “It was wrong. Telegram knew of the gathering of numbers, but did not tell the users,” he said.