CHRI’s research indicates that during Rouhani’s first term (2013-2017), cyberattacks on the social networks accounts of civil and political activists, journalists, academics and influential cultural figures have dramatically increased.
CHRI works directly with individuals under cyberattack to protect their accounts, and as a result, has perspective on the ebb and flow of such attacks. In any given week, CHRI receives on average at least five reports of state-sponsored hacking attacks (most frequently on the mobile messaging application Telegram) from journalists, political activists, women activists and students, with that number rising to an average of at least 20 per week at politically sensitive times such as during the run-up to elections. Given that CHRI comes into contact with only a portion of the state- sponsored hacking attacks undertaken regularly in Iran, these numbers are quite high.
The cyberattacks have not been limited to individuals inside the country, they have also targeted hundreds of civil and political activists outside Iran. Additionally, several public figures within President Rouhani’s administration, such as his brother and several deputy ministers of foreign affairs and their families, and others have been the target of cyberattacks.
The methods and patterns used in these cyberattacks and the type of people they have targeted indicates that the hackers have the ability to use the country’s telecommunications and communications infrastructure. This means the attackers are state-sponsored.
Two state organizations are responsible for the vast majority of the attacks: the Islamic Revolutionary Guards Corps (IRGC) and, to a lesser extent, the Intelligence Ministry.
In many cases, CHRI has been able to determine the source of the attack due to the methods used. For example, the “high-jacking” of text messages are done by companies owned by the IRGC. CHRI has also interviewed numerous victims of cyberattacks, including those who were arrested on the basis of their online content. These individuals have consistently relayed to CHRI the arresting authorities and the questions asked during the interrogations, information that consistently points to the IRGC.
The nature of the attack varies depending on the motives. The attackers may hack into the account and not disrupt anything, in order to conduct covert surveillance. They may take control of the account and use it to attack someone else’s account, or less frequently, to spread false information. When the goal is to stop a website from publishing the news or some piece of information, they will simply bring the website down.
Such surveillance can have catastrophic consequences for the victims. Many journalists and activists in Iran have been prosecuted and sentenced to prison terms for their online communications and activities.
The attacks are usually not technically sophisticated and in some cases, including those that involve Android malware attacks, use tools that can be purchased for approximately $50 USD. Yet they can be effective for hacking individuals who, like most people, are not sufficiently familiar with basic security requirements.