Iran’s Cyber War: Hackers In Service Of The Regime; IRGC Claims Iran Can Hack Enemy’s Advanced Weapons Systems; Iranian Army Official: ‘The Cyber Arena Is Actually The Arena Of The Hidden Imam’

August 25, 2013

Introduction

The Iranian regime views the cyber arena as an active warzone with the U.S. and its allies, and in recent years has invested substantial efforts in it, for both psychological warfare and physical sabotage of Western infrastructure. The cyber arena is also used by the regime as a tool for spreading its ideology, by exporting the Islamic Revolution and by preparing for the arrival of the Hidden Imam (the Shi’ite messiah).

Regime officials and mouthpieces often depict Iran as defending itself against a Western cultural onslaught, with the cyber arena – chiefly social networks – being one of the main elements of the “soft warfare” being waged against the regime. For that reason, the regime blocks Facebook and Twitter in the country, even though many Iranian users know how to circumvent this using special software.[1]

Regime spokesmen often state that Iran’s cyber capabilities are aimed at protecting regime infrastructure from Western cyber-attack, and deny that the regime is involved in Iranian cyber-attacks on Western infrastructure.[2] However, Iran’s Islamic Revolutionary Guard Corps (IRGC) claims that Tehran has developed cyber capabilities that enable it to penetrate the enemy’s advanced military infrastructure. Thus, alongside its defensive cyber system, the regime has also established an offensive cyber system, which includes organized hacker groups as part of the Basij, as well as independent groups, working in concert with the regime. This system has been behind a series of cyber-attacks on websites and infrastructure outside Iran in recent years, including against the NASA website.

IRGC and Basij officials have repeatedly boasted about the regime’s offensive cyber capabilities. Abdolreza Azadi, the IRGC commander in Hamedan, said in 2011, during Friday prayers: “On the instructions of Leader [Khamenei], the IRGC and the Basij have conquered the Internet arena and have to a large extent shut down the enemy’s cyber force.”[3] Basij deputy commander Ali Fazli said in March 2013: “Just as there are cyber-attacks against us, our cyber corps – which comprises experts from the instructor, student, religious student, and sisters’ Basij – attacks enemy websites… Warfare, especially cyber warfare, is bilateral, and defense will be successful if it is accompanied by a planned and calculated offensive.”[4]

This paper will review the Iranian regime’s preparations in the cyber arena, with a focus on its offensive capabilities.

The Iranian Regime Sets Up Its Cyber System

Establishing Cyber Institutions, Conducting Cyber Maneuvers

The importance that the Iranian regime places on the cyber arena was clearly illustrated in statements by Gholam Reza Jalali, director of the Passive Defensive Organization, which is the regime’s emergency system plan and which is tasked with managing the civilian cyber system. In August 2012, he said, “The world is currently heading towards cyber warfare.”[5]

In October 2011, the Passive Defense Organization established the Cyber Headquarters, which oversees these activities as well as the defense of the country’s infrastructure, and which is deployed nationally via cyber headquarters that have been set up in various cities.

In addition to the Passive Defense Organization, cyber headquarters in the Iranian military and IRGC are also in operation. In October 2009, Iran founded the Cyber Police, a body that tracks regime opponents on the web and arrests them.[6]

From time to time, the Passive Defense Organization conducts cyber maneuvers in an attempt to institute and establish the cyber system and to improve its defensive capabilities against cyber-attacks. In early July 2013 Jalali said that the regime would soon conduct national cyber maneuvers, and that his organization would set regulations for vital infrastructure in Iran in order to attain complete cyber safety.[7] In August 2011, the Passive Defense Organization conducted a national drill aimed at testing state organizations’ and institutions’ vulnerability to cyber-attacks.[8] Jalali even said that between March 2011 and March 2012, the organization had conducted 500 cyber maneuvers across the country.[9]

Regime officials have claimed that Iran has attained cyber warfare capabilities matching and even surpassing those of the U.S. In February 2011, Ali Saeedi, Khamenei’s representative in the IRGC, said that Tehran was ahead of Washington in terms of cyber-warfare;[10] in February 2013, Saeedi’s deputy, Mohammad Hossein Sepehr, called Iran “the world’s fourth biggest cyber power;”[11] and in May 2012, the commander of the IRGC in Qom, Ebrahim Jabbari, claimed that “the IRGC has managed to establish the second [strongest] cyber army in the world.”[12]

Recruiting Hackers For Regime Activity

In an attempt to centralize cyber activity, regime organizations began recruiting hackers for a “Basij Cyber Council.” In November 2010, Tehran IRGC commander Hossein Hamedani stated that “the Basij Cyber Council has trained 1,500 cyber-warriors who have assumed their duties and will in future carry out many operations.”[13]

IRGC commander Mohammad Ali Jafari said in February 2011 that his organization extensively utilizes the Basij’s cyber capabilities: “[The IRGC’s] cyber army operates in the virtual arena, which many countries today use for defensive, security, political, and cultural purposes. In light of the capabilities of Basij experts, and with attention to the link between the IRGC and the Basij and forces of the revolution [i.e. the regime], there are no limits with regard to the scope of the forces specializing in cyber warfare, and we use those forces extensively. The assistance from these forces is the reason the IRGC is successful.”[14]

On another occasion, Jafari also implied that Iran is receiving help from foreign hackers for cyber-attacks: “It is possible that many cyber war soldiers and officers from other countries will assist us in this war.”[15]

In March 2011, Gholam Reza Jalali called on hackers loyal to the regime to join its cyber ranks, saying: “We welcome hackers who wish to work for the Islamic Republic with motivations of good will and revolutionary activism.”[16] In June 2011, the IRGC weeklySobh-e Sadeq called on the regime to recruit hackers for government activity in order “to train an expert force and to pay close attention to the role played by information technology and communications in dealing with the enemy… Establishing cyber headquarters and recruiting revolutionary hackers are vital steps that are appropriate for this.”[17]

In addition, the regime is preparing to train skilled academic manpower. In March 2012, various universities in Iran opened cyber defense schools, as part of a program launched by the Passive Defense Organization.[18] At a February 8, 2012 student conference, then-deputy head of Iran’s National Security Council, Ali Baqeri, called on students “to play a key role in the cyber area” and boasted that “a document recently published by the U.S. intelligence apparatus said that Iranian intelligence operations against the U.S. have increased in recent years, and so have [Iran’s] cyber capabilities.”[19] He added: “Your actions in the cyber arena can be highly effective, as was proven in the Islamic Awakening [the Iranian term for the Arab Spring], when [Iranian] students spontaneously contacted Islamic Awakening activists and achieved very important results.”[20]

Iranian Regime-Backed Hacks Of Websites Outside Iran

In recent years Tehran has shown offensive cyber-warfare capabilities, as manifested by its hacking of opposition websites inside and outside Iran, and websites of foreign media outlets it considers hostile such as Voice of America (VOA) and Radio Zamaneh, and even government websites in the Gulf, U.K., and U.S., and well as websites in France.[21]

Various Iranian functionaries have encouraged hacking. Vice President Elham Aminzadeh, who was at the time a former Majlis member, said, “It is Iran’s right to respond to cyber-attacks with reciprocal attacks, if Iran does not receive the cooperation of international organizations in preventing them.”[22] In May 2011, then-intelligence minister Heydar Moslehi called on Iranian citizens to carry out “the necessary actions with regard to the Farsi-language Facebook page opened by the Israeli Foreign Ministry, thus showing their revolutionary spirit.”[23] In addition, the cultural director at Lorestan University in Western Iran, Mohammad Reza Khodaei, offered 10 million rials for students who manage to hack into and shut down “immoral” websites, explaining, “Today the enemy is waging soft warfare against divine morality… Today we are dealing with bestial Western culture.”[24] In addition, Khodaei asked the science-oriented Informatic student association at Lorestan University to “make it top priority to hack into websites spreading immoral values that operate inside and outside Iran.”[25]

Hacker Groups Working For The Regime

Several hacker groups operate as part of the regime; the main ones are the Iranian Cyber Army (ICA), Ashiyane, and Virtual Anonymous Jihad. Smaller groups include the Hezbollah Cyber Army,[26] Shabgard, and Simorgh.

 Ashiyane – Hacking Into NASA And Infrastructure Websites In U.S., U.K, France, And Gulf

Behrouz Kamalian, the head of the Ashiyane hacker group,[27] which in recent years has targeted regime oppositionist websites operating outside Iran, said in October 2009 that his group works in concert with governmental and military organizations.[28]

In May 2008, Kamalian said that the group had hacked into websites in the Gulf, to protest against their use of the term “Arabian Gulf” instead of “Persian Gulf,” and added that it had “planted an announcement with a map of Iran with the caption ‘The Persian Gulf’ on the websites of various companies in Saudi Arabia, the UAE, Bahrain, Oman, and Iraq.”[29] The Iranian website Tabnak stated that the websites hacked were those of the UAE newspaper Al-Khaleej; the Arabian Gulf League, which is the UAE soccer league; Iraq’s Ministry of Higher Education; the Abu Dhabi Police website; Mayadin University in Saudi Arabia; and Oman’s gas company.[30]

In 2010, Kamalian said that to mark the regime’s Fight Against Terrorism Day, the group had hacked, over the course of two days, 1,000 important websites in the U.K., the U.S., and France – notably the official websites of the State of Louisiana and of the city of Pevensey in the U.K., the website of the U.K. company Logmein, and the website of a web security company in France.[31]

In January 2009, Kamalian claimed that in 2005, his group began hacking websites outside of Iran in response to statements by U.S. officials that Iran was involved in the 9/11 terrorist attacks. He explained: “In protest, we attacked the website of NASA, and managed to hack into it and plant an announcement stating ‘Iranians and Muslims are not terrorists’ in English alongside an Iranian flag.”[32]

 16290
Announcement planted by Ashiyane on websites in the U.S., U.K., and France[33]

Kamalian also said that in recent years, Ashiyane had hacked hundreds of websites, including ones hosted in Denmark in response to the publication of cartoons depicting the Prophet Muhammad, Arabic-language websites in response to the use of term “Arabian Gulf” instead of “Persian Gulf,” and Wahhabi websites in retaliation for a cyber-attack on websites belonging to senior ayatollahs Ali Sistani in Iraq and Makarem Shirazi in Iran. He said that the group had also hacked hundreds of Israeli websites during the second Lebanon war in 2006 and Operation Cast Lead in Gaza in 2009.[34]

In 2010, Kamalian said that his group operates independently and spontaneously, but acknowledged: “We cooperate with [Iranian] military apparatuses in advising and improving security… Many countries are waging cyber-wars because this type of war is more worthwhile with regard to cost, time, and loss of life. Therefore, the world’s most powerful governments, such as Russia, China, Iran, and the U.S., need to have organized groups for cyber-warfare. We have always operated in the framework of the goals of the state, the nation, and the religion, and have never conducted projects against the Iranian country and people.”[35]

The Iranian Cyber Army (ICA) – Operating Under IRGC Command

In February 2011, Khamenei’s representative in the IRGC, Ali Saeedi, acknowledged that the Iranian Cyber Army (ICA) was operating on behalf of the IRGC. After the hacking that month of the VOA Farsi-language website, Saeedi said: “The attack on the VOA website by the ICA and the message left there [‘We have proven that we can’ – see image below] for U.S. Secretary of State [Hillary Clinton] reflects the IRGC’s capability and strength in the cyber arena.”[36] He added that the hack was in response to the U.S.’s support of Iran’s Green protest movement.[37]

 16291
ICA hacks VOA Farsi-language website[38]

In December 2009, the ICA hacked Twitter, likely in response to the widespread use of the microblogging service in the organization of protests following the June 2009 elections in Iran, and caused it to shut down for two hours.[39] A statement left by the group on the Twitter website (see image below) read: “If Leader [Khamenei] gives the order – we will attack. If he asks us – we are willing to sacrifice our lives. If he asks us for restraint – we will obey.”

 16292
 Announcement left by the ICA on Twitter[40]

 16293
Twitter’s announcement that it was hacked[41]

In recent years, the ICA has hacked websites associated with Iranian regime opponents, mainly those who operate abroad. In January 2010 it was reported that the group had hacked Baidu, China’s largest search engine,[42] and the website of Radio Zamaneh, which operates out of the Netherlands.[43] In February 2010, the group hacked the website of Mohsen Sazegara, an IRGC founder who defected to the U.S.;[44] Jaras, which is associated with supporters of the Green Movement and operates out of Virginia;[45] and Kaleme.org, which is associated with supporters of Mir-Hossein Mousavi, one of the leaders of the Green Movement. In November 2010, the ICA hacked the website of Farsi1, a channel for expatriate Iranians.[46] In February 2012 it was reported that the ICA had hacked the website for the Azerbaijan Broadcast Authority and the website for Azerbaijan Airlines, due to the tension between the two countries.[47]

In the run-up to the June 2013 presidential election, the ICA hacked into 13 regime opponent websites operating outside Iran, among them Alahwazvoice.com and Freeahwaz.com, which belong to the Ahwaz separatist opposition; the blog of Iranian journalist Arash Sigarchi, who works for VOA; and the websites Iranglobal.info and Iranbriefing.net, which are associated with regime opponents.[48]

Virtual Anonymous Jihad – Hacking Websites Belonging To Saudi Government, Exiled Regime Opponents

In June 2013, Iranian human rights activist and Nobel laureate Shirin Ebadi revealed that “the hacker group Virtual Anonymous Jihad, which took responsibility for several attacks on websites operating outside Iran, is run and guided by Iranian regime members.”[49]

In February 2013, the group hacked and shut down the websites Enghelabe-eslami.com and Banisadr.org, which are associated with former Iranian president and regime opponent Abu Al-Hasan Bani Sadr, who is in exile in France.[50] Also, in March 2013, the group hacked Mef.edu.sa, belonging to the Saudi Ministry of Higher Education, to protest against Saudi Arabia’s involvement, beginning in 2011, in the Bahraini government’s ongoing suppression of Shi’ite protests in Bahrain. (see image below). In May 2013, it also hacked Irtv.com, belonging to an Iranian oppositionist TV channel operating in the U.S., and the Facebook page of BBC Farsi journalist Siavash Ardalan (May 2013).

 16294
Hacked Saudi government website: “Bahrain in blood, Saudi is criminal”[51]

On June 13, 2013, the day before Iran’s presidential election, the group hacked and shut down prominent regime opponent websites operating outside Iran, among them Digraban.com, Khodnevis.org, and Ostanban.com. On some of the hacked websites, the group posted the message: “To those who talk nonsense, and to the mercenaries of the foreigners – there is no safe place. Anywhere you are – you are within range of Hezbollah [Iran] forces.”

 16295
Message left by the group on Ostanban.com

Article In IRGC Weekly: Iran Has The Power To Hack The Enemy’s Advanced Weapons Systems

A February 4, 2013 article in the IRGC weekly Sobh-e Sadeq explained the importance of the cyber arena in the struggle between Iran and the U.S., and detailed Iran’s offensive capabilities in this area. Following are excerpts from the article:

“The Islamic Republic of Iran is one of the most important targets of American cyber-attacks, and accordingly, there have already been several [U.S.] attacks [against Iran]. Among the American-Zionist cyber-attacks on Iran should be noted the insertion of the Stuxnet, Flame, and Duqu viruses. Just as in the real arena, the U.S. and Zionism aim to take over the cyber arena, and the struggle with Iran is one of their most important goals. However, just as in the real arena, the Islamic regime managed to challenge the American and Western lust for power in the cyber arena, as well as via [the ongoing] resistance and steadfastness…

“The list of topics in Iran’s resistance in the cyber arena is lengthy, and is not restricted to technical defense or retaliatory attacks on websites that attack [Iran], but also includes spreading the Islamic culture and school of thought in the cyber arena in an attempt to challenge the West and its materialistic and anti-human culture. Therefore, spreading the Islamic values in the cyber arena is in itself the greatest challenge to Zionism and the U.S. At this time, there are many Islamic and Shi’ite websites that spread the religious values and beliefs in many languages. The Internet is not safe [for Iran] from interference by American and Zionist elements, but at the same time it provides an opportunity to disseminate Islamic values.

“In terms of cyber technology, Iran has made great strides in recent years, and U.S. security and intelligence sources believe that right now Iran has the means and technical capabilities to fight the U.S. in a cyber-war… Iran’s cyber capabilities are not merely a slogan but also a fact that outside observers cannot deny. Iran can hack into military computers of enemy countries, and crack passwords for aircraft and missile guidance, and even for ship-to-ship communications systems. Likewise, after the Stuxnet virus attack on Iran’s nuclear facilities, the Zionists created the Stars virus to carry out another attack, but Iran’s capabilities prevented this virus from having an impact…

“Thus far, the ICA has managed to identify and thwart various cyber activist networks that operated against the religion, morality, and human rights. An example of this is the most important operation from February-March 2009 known as the Gerdab Project – in which the IRGC managed to arrest the main elements behind 90 immoral Farsi-language websites and shut them down. Iran’s activity in the cyber arena and its resistance and steadfast position in culture and technology in the face of the U.S.’s and Zionism’s materialistic ideology and lust for power have thus far been highly successful.”[52]

Commander Of Cyber Headquarters Of Iranian Army: “The Cyber Arena Is Actually The Arena Of The Hidden Imam”

In an April 20, 2013 interview with the Iranian Mersadnews.ir, the commander of the Cyber Headquarters of the Iranian Army, Behrouz Esbati, discussed the dissemination of the values of the revolution via the cyber arena: “The virtual arena… is in fact the chief means for preparing the first steps towards the appearance of the reformer of the world and the one who will establish the rule of the just [i.e. the Hidden Imam]. Today, the Western world has reached a dead end in [its attempts to] present a [new] path for human society – from lifestyle to political, cultural, and social discourse…

“This [Western] society – with all its empty viewpoints – is crumbling. Under these conditions, the path is paved for those who want to show [the world] the Islamic school of thought and its logic, who aspire to establish a regime of divine values – which will in turn prepare the conditions for the appearance of the Hidden Imam.

“The cyber arena is actually the arena of the Hidden Imam. Some believe that Iran does not have the initiative in this arena, and that it is the enemy who holds the [real] capabilities. However, others who are much greater in number – and they include the enemy itself – believe that the rapidity of Iran’s conquest of the cyber arena is dizzying. We play a substantial role in the virtual arena, and our impact in the ‘soft warfare’ front has made the enemy’s head spin… The Iranian youth has shown its might in this area.”[53]

* Y. Mansharof is a Research Fellow at MEMRI.

Endnotes:

[1] The regime also set legal penalties for bloggers and websites posting links to Facebook and Google+. Snn.ir, February 11, 2013.

[2] In January and May 2013, U.S. officials accused Tehran of being behind cyber-attacks on computer networks of U.S. energy companies and banks. Nytimes.com, January 8, 2013, May 24, 2013. In October 2012, Washington accused Tehran in an August 2012 attack on computers belonging to the Saudi ARAMCO. Nytimes.com, October 24, 2012. Washington also accused Tehran of being behind September 2012 cyber-attacks on U.S. banks, but the director of Iran’s Passive Defense Organization denied involvement. Fars (Iran), September 23, 2012.

[3] Fars (Iran), July 1, 2011.

[4] Mehr (Iran), March 14, 2011.

[5] Mehr (Iran), August 11, 2012.

[6] Tabnak (Iran), October 30, 2009. See cyberpolice.ir. The Cyber Police arrested regime opponent blogger Sattar Beheshti, who was tortured to death during his arrest. See MEMRI Special Dispatch No. 5057, Iranian Blogger Who Told Supreme Leader Khamenei ‘Your Judicial System… Is Nothing But A Slaughterhouse’ Tortured To Death In Prison, November 19, 2012.

[7] Press TV (Iran), July 6, 2013.

[8] Mashregh (Iran), August 21, 2011.

[9] Fars (Iran), September 26, 2011.

[10] IRNA, Fars (Iran), February 22, 2011.

[11] Fars (Iran), February 2, 2013. The Secretary of the Supreme Council of Cyberspace, Mehdi Akhavan Bahabadi, even said that Iran is a world leader in cyber defense, and that it is willing to assist its neighbors protect their oil companies based on its extensive experience. Mehr (Iran), October 14, 2013.

[12] Fars (Iran), May 20, 2012.

[13] ISNA (Iran), November 21, 2010.

[14] Hamshahri (Iran), February 7, 2011.

[15] Mehr (Iran), July 4, 2011

[16] Jalali added: “I warned the group of hackers that wishes to harm the people. We follow their activity and we deal with them harshly.” Bultannews.com, March 6, 2011. In May 2013, the head of the National Iranian Oil Company, Ahmad Qale’bani said that the company intends to hire hackers to help defend against cyber-attacks on Iran’s oil infrastructure. Fars (Iran), May 31, 2013.

[17] Sobh-e Sadeq (Iran), June 27, 2011.

[18] IRNA (Iran), March 24, 2012.

[19] Fars (Iran), February 8, 2012. Fars explained that Baqeri meant that “students should join the cyber arena to contend with the U.S.”

[20] Fars (Iran), February 8, 2012.

[21] The management of Radio Farda, which operates in Europe, accused the Iranian regime of being behind cyber-attacks on Facebook pages belonging to Iranian journalists that it employs. Irangreenvoice.com, January 30, 2013. For the BBC Farsi’s claim that it was attacked by Iran and for more on the Cyber Police’s activity as part of the IRGC, see MEMRI Special Dispatch No. 2794, In Run-Up To Islamic Revolution Day 2010, Iranian Regime Steps Up Oversight, Censorship On Media, Citizens, February 5, 2010.

[22] Resalat (Iran), May 29, 2012.

[23] Fars (Iran), May 11, 2011.

[24] Snn.ir, July 9, 2012.

[25] ISNA (Iran), June 28, 2012.

[26] It was reported in February 2010 that this group hacked into the website of the Iranian oppositionist party The Association of Combatant Clerics.

[27] The group’s website is ashiyane.ir.

[29] Tabnak (Iran), May 29, 2008.

[30] Tabnak (Iran), May 29, 2008.

[31] Fars (Iran), August 30, 2010.

[32] Ashiyane also published a communique on its website taking responsibility for the attack on the NASA website, listing the five subdomains that it hacked: Mola.gsfc.nasa.gov, Lvis.gsfc.nasa.gov, imagers.gsfc.nasa.gov, gimms.gsfc.nasa.gov, and neespi.gsf.nasa.gov. For Ashiyane’s communique, see Ashiyane.ir/archive.php?id=2.

[33] Fars (Iran), August 30, 2010.

[34] Inn.ir, January 25, 2009.

[35] Dw.de, September 17, 2010.

[36] Mashregh (Iran), February 22, 2011.

[37] IRNA, Fars (Iran), February 22, 2011.

[38] Fars (Iran), February 22, 2011.

[39] Wsj.com, December 18, 2009.

[40] Tabnak (Iran), December 18, 2009.

[41] Tabnak (Iran), December 18, 2009.

[42] Telegraph.co.uk, January 12, 2010.

[43] Fars (Iran), January 31, 2010.

[44] Tabnak (Iran), February 10, 2010.

[45] Tabnak (Iran), February 12, 2010; Kaleme (Iran), February 13, 2010.

[46] Medianews.ir, November 17, 2010.

[47] Dw.de, February 23, 2012.

[48] Mehr (Iran), June 14, 2013; hra-news.org, June 15, 2013.

[50] Emadnews (Iran), February 13, 2013.

[51] Mef.edu.sa/wp-hack.php.

[52] Sobh-e Sadeq (Iran), February 4, 2013.

[53] Mersadnews.ir, April 20, 2013.