Application security, Network Security, Network Security

Iran election protesters use Twitter to recruit hackers

Political unrest resulting from the presidential election in Iran has escalated to a cyberwar between the Iranian government and activists, according to security experts monitoring the situation.  

In response to the election, supporters of pro-reform candidate Mir Hossein Mousavi launched distributed denial-of-service (DDoS) attacks against Tehran government websites and used Twitter to encourage others to do the same. Mousavi proponents are challenging Friday's presidential election that incumbent Mahmoud Ahmadinejad claims to have won.

Specifically, at 3 p.m. EST on Saturday, political activists initiatedDDoS attacks against Iranian government websites, using Twitter andFacebook to share sites where users could download tools to participatein the attacks, Ariel Silverstone, an independent security consultant,told SCMagazineUS.com on Monday. He has been following the cyberwar on his blog.

Following the intial DDoS and Twitter posts, the Iranian government, which is led by Ahmadinejad, shut down internet usage in Iran to block citizens' access to information, Richard Stiennon, chief research analyst of consultancy IT-Harvest, who has been following the situation on his blog, told SCMagazineUS.com on Monday.

For a period of 20 hours -- between late at night on Saturday until mid-afternoon Sunday -- the Iranian government shut off internet service, Silverstone said. At that time, most people in Iran couldn't access sites outside of Iran, and if they could, the connection was poor. At the same time, Iranian television broadcast only movies, and there were no references to the protests occurring in the streets, he said.

It appears that the internet shutdown was lifted mid-afternoon on Sunday, Silverstone said. But the Iranian government now is reportedly filtering traffic and has blocked certain sites, such as Facebook and the BBC news website. Also on Sunday, there were a number of reports that Twitter email addresses and Facebook accounts were hacked by what appears to be the Iranian government, he said.

“We assume that since some of those [hacked accounts] have been used to spread misinformation about the location of rallies, it was an organized or semiorganized effort by the Iranian government to spread misinformation,” Silverstone said.

Once the internet shutoff was lifted in Iran, more sites proliferated that offered internet sharing tools for download, so others could participate in cyberattacks against Iranian government websites, Silverstone said.

Political “hacktivists" have posted instructions on how to execute DDoS attacks against Iranian leadership websites, Stiennon said. They are targeting websites of the Iranian government and Iranian news bureaus controlled by the Iranian government, including https://www.leader.ir/; https://president.ir/; https://www.irib.ir/; https://www.iribnews.ir/.

So far, the DDoS attacks against the Iranian government have taken several forms. One of the tools available for download enables users to participate in a “ping flood” attack, in which a huge number of network monitoring packets are sent to a web server, causing it to crash, Stiennon said. In addition, users can also download a different program that would enable them to participate in a “GET flood” DDoS attack. In this style attack, the program that is downloaded acts like a web browser and continuously tries to access a web page over and over, making the target web server unable to respond to legitimate requests, he said.

One recent Twitter message read: “Join the information attack (Cyber War) on Ahmadinejad's government.” The tweet then includes a link to a Google Docs file with a list of sites that users can click on to participate in a DDoS attack. If users click on one of the listed URLs, their browser refreshes multiple times, Steinnon said.

Stiennon said there have been political cyberbattles before -- between Russia and Estonia and Hamas and Israel -- but this is the first time Twitter has been used to distribute information and encourage participants.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.