Protesters against the Iran regime are getting a boost to aid their efforts from hacking groups who are using Telegram, Signal and the dark web to get around government restrictions.
“Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides,” according to a blog post by Check Point Research (CPR), which shared five examples of the counterprotesters’ activities.
Telegram groups, the researchers said, include between 900 to 1,200 members, some of which offer a list of proxies and a VPN to maneuver around Iranian government censorship while another group helps protesters gain access to social media.
CPR noted the activities the day after protests began following the death of Mahsa Amini. “Specifically, hacker groups are allowing people in Iran to communicate with each other, share news and what is going on in different places, which is what the government is trying to avoid, to lower the flames,” CPR said. “As per usual with these uprisings, there are some hacking groups that are trying to make a profit from the situation and to sell information from Iran and the regime.”
Researchers specifically called out the Official Atlas Intelligence Group channel, a group with 900 members that uses Telegram to leak and sell data. They are “focusing on leaking data that can help against the regime in Iran, including officials’ phone numbers and emails and maps of sensitive locations,” PCR said, as well as “upsell” private information on the Iranian Revolutionary Guard Corp (RGC). They are also offering a list of proxies to help protesters bypass censorship in Iran.
The 5,000-strong Arvin group is also using the messaging platform to leak and sell data. Its focus is “on news from the protests in Iran, reports and videos from the streets where the protests are in Iran,” CPR said. They also provide Open VPN services and report on internet status in the country.
Red Blue is another group with 4,000 members and is also using Telegram to hack “conversations and guides, part of the hacking website hide01.ir, which is operated by Iranians, about computers and software hacking,” CPR said. “Some of the conversations are about bypassing the censorship and helping those living in Iran to access social media sites.”
The 12,000-member Tor Group, part of the Tor Project, is using Telegram and the Tor page on the web to send messages to the community “with some emphasis on the help that Tor can bring to the protesters in Iran.”
Signal, too, “decided to also join the effort and support the protests in Iran, helping other people to set up proxy servers that can be used to bypass the censorship in Iran,” the researchers noted.
CPR started to see “these groups emerge roughly a day after the protests began, allowing people in Iran to communicate with each other as well as share news and what is going on in other places.
“The telecommunications sector in Iran is almost entirely state-owned, so it’s not surprising that anti-government groups like this are trying to use tools such as Telegram to avoid state censorship,” said Chris Vaughan, vice president of technical account management, EMEA and South Asia, at Tanium. “These apps help people get unbiased information in and out of the country, so I expect that app stores may also be targeted in a bid to control communications. It’s likely that the Iranian government will also be blocking VPNs in order to restrict this information flow and disrupt protestors trying to communicate with each other.”
Vaughan noted the “Iranian government has been limiting and monitoring mobile internet access for several days now and has blocked the download of several messaging apps, including Telegram.”
Russia, China and other countries also use such blocking tactics “to control dissent, so we anticipate that Iran will use some of the same tactics,” he said. “It will be more difficult to block messages if people are using satellite communications; however, these are harder to come by. Nevertheless, some anti-government hackers will be trying to help people connect in this way.”
Vaughan expects the Iranian government is likely “spreading disinformation campaigns, as we have seen in other countries,” pointing out that they launched a media war against protesters in 2019 and seized control of the internet.
“This time, the protests have been taking place for several days, but hacking groups outside the country are already trying to assist protesters with organizing themselves and sharing unbiased information about what the government is doing,” he said. “This could cause disruptions to continue longer than we have seen previously.”
Michael DeBolt, chief intelligence officer at Intel 471, said his researchers observed members of all the major hacking groups on Telegram “sharing proxies and methods to bypass internet censorship. Discussions were also used to share information on locations or protests and different types of information relating to the protests.”
He called out one notable trend: “The uploading of videos of protests and attempts to collectively reveal the identity of soldiers and officers who were taking part in violent crackdowns against protestors.”
Intel 471 “observed the actor 3ackd0or and others posting such information. Many of the notable hacker group chats changed their name to “OpIran” and were used to share information on the protests,” DeBolt said. “The most common cyberattacks observed were denial-of-service attacks.”
DeBolt found it interesting that “the more ‘traditional’ or older hacker groups in Iran, such as Bax 026 and Ashiyane, were taking the regime’s side and aligned with the regime’s agenda, while more and more groups are actively targeting the regime itself and helping opposition and anti-regime protestors.”