How the Iranian Government Hacks Dissidents

Citizen Lab has a new report on an Iranian government hacking program that targets dissidents. From a Washington Post op-ed by Ron Deibert:

Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail "Assad Crimes," she could easily have opened it. Instead, she shared it with us at the Citizen Lab.

As we detail in a new report, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called "Droidjack," that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.

Here's the report. And a news article.

Posted on August 9, 2016 at 5:26 AM • 44 Comments

Comments

Who?August 9, 2016 5:58 AM

I have a hard time understanding why activists whose on-line actions endanger them and their families continue using so insecure operating systems. It is basic OPSEC. Attack vectors have not changed in the last two decades. No need for elaborate plans, high tech surveillance technologies and expensive hardware implants. Sending them a Power Point or Word infected document is enough.

WinterAugust 9, 2016 7:00 AM

@Who?
"I have a hard time understanding why activists whose on-line actions endanger them and their families continue using so insecure operating systems. "

For activists, communication is at the hearth of their operation. No communication, no activism. In modern times, communication means the internet.

It has been explained on this blog many, many times that there are no secure operating systems (actually platforms Hard+Software). Furthermore, even if such an OS or platform would exist, activists in the Middle East will have difficulty obtaining the competence and experience needed to use and communicate securely with it.

So, the real question is, is there anything these activists can realistically do short of simply not engaging in political action?

@propagandaAugust 9, 2016 7:20 AM

Not really seeing any hard evidence of this pointing to the Iranian Government all very circumstantial at best.

@propagandaAugust 9, 2016 7:24 AM

Not really a fair title "How the Iranian Government Hacks Dissidents"

But then this fits very well with pro western propaganda emanating from this blog.

Quit blaming Russia, Iran and the Chinese for any reason and focus more on the technicals please.

I don't read this for political rhetoric and speculation.

Vive la USSA

AhmedAugust 9, 2016 7:53 AM

What is the evidence pointing to Iran in this case?! This blog used to be more legit.

@propagandaAugust 9, 2016 8:13 AM

HOW THE US GOVERNEMT PAY'S BRUCE SCHNEIER TO SPREAD PROPAGANDA

@jwh

I have read the report and it hardly seems conclusive, the IP's are originating from Iran if they where linked to maybe Government buildings this would be more indicative.

Dirk PraetAugust 9, 2016 8:20 AM

@ Winter

It has been explained on this blog many, many times that there are no secure operating systems (actually platforms Hard+Software).

Indeed, so you have to go for something that from a security vantage s*cks less and combine that with some good OPSEC. For the latter I usually recommend a search for the excellent OPSEC guides by our good friend @thegrugq. The first step in the former is dumping COTS operating systems such as Windows, OS X and everything Android.

CubesOS, TAILS, Whonix, PureOS and the like have become reasonably user friendly and should be well within the grasp of the average activist who can afford some time to get properly going with any of these. Those ready to leave Linux behind may wish to look into PC-BSD, which is actually a desktop FreeBSD. It's maturing quite well and those already familiar with a Linux KDE or Gnome desktop environment can start right away. Next to the security, stability and robustness of BSD, it also brings some interesting security/privacy features such as the Lumina desktop, GELI FDE, stealth sessions, transparant traffic torification in Tor mode and GELI encrypted home directories on an external device such as a flash drive that also acts as a mandatory 2FA token.

Which is not to say that PC-BSD is a walk in the park. Over the weekend, I blew up one of my installations twice while ugrading from 10.1 to 10.2 and subsequently to 10.3. The first upgrade left me with a CLI-only bare bones system from which nearly all packages had disappeared, the second upgrade even landed me on the dreaded GRUB rescue prompt. Meanwhile, everything is back up and running, but it took some seriously low level troubleshooting work that is far beyond the average user.

Hardware is of course an entirely different beast, but at least you have (considerably) raised the bar for anyone coming after you. Needless to say that I'm closely following Thoth's posts and smart card related work. There is some really good stuff in there.

jwhAugust 9, 2016 8:24 AM

@SockPuppets

Not just the IPs, though that is important.

* Sophistication of the attacks, including the use of commercial tools
* Targets of the attacks are consistent with government targets
* And of course the IPs

SpunkAugust 9, 2016 8:53 AM

I know I'm way too late, but I wish people wouldn't have start using the term OPSEC. It uses to have a specific meaning in intelligence circles that has now been completely diluted. See also "False Flag" and countless others.

The ShahAugust 9, 2016 8:59 AM

Good on Citizen Lab! They weighed all the possibilities very competently, except of course the possibility they're not allowed to weigh (search on Israe* for shits & grins.) Good on Mossad too. They did a much better job framing Iran than they did framing Russia for the DNC. This is a minor but not ridiculous psyop, once you do the willing suspension of disbelief and accept the notion that Iran gives a crap about Montreux hotel revolutionary poster girl Al-Ameer.

paulAugust 9, 2016 9:41 AM

You can tell how much an entity is feeling threatened by the quality/quantity of the trolls it sends.

Bob DoleAugust 9, 2016 9:51 AM

@paul

So where does "obvious semi-coherent" fall along the quality spectrum? XD

jwhAugust 9, 2016 10:16 AM

Funnily enough the IP's would also suggest Iraseli links, how bizarre, probably the Iranians trying to Frame the Kosher government.

Clive RobinsonAugust 9, 2016 10:52 AM

@Who?

I have a hard time understanding why activists whose on-line actions endanger them and their families continue using so insecure operating systems.

It's not just the hardware or software you need to think about.

The simple fact is that the whole computing stack can be "got at" one way or another but that may be the least of your problems.

You need to consider other factors as well. If you are stopped by the authorities "guard labour" most places these days, they will search you or find a way by which they can search you, your possessions, home or any other place they think they will find anything that acts against you. All you have to do is give them cause in some way. Which is in effect a matter of profiling, thinking hinky, you annoy them or which way the wind blows etc.

Thus having anthing other than what the guard labour has been taught is normal is as good as wearing a T-Shirt that has the back of a fist with middle finger raised pictured on it.

Thus "not making yourself a target" is the better part of not getting "selected for that special attention" which is the precipice of a slippery slop. Being anything other than a "stereotypical norm" is a recipe for probing. Having anything out of the norm is as good as a good kick to get you sliding down that slope to a secret underground super max.

Which means that anything more leak proof than a bottomless bucket is bad news.

Which leaves the question not of how to be more secure but "How to mitigate insecurity without becoming a target?".

minionAugust 9, 2016 11:00 AM

"It has been explained on this blog many, many times that there are no secure operating systems (actually platforms Hard+Software)."

That is true. But it is also true that there are plenty of setups that would prevent a simple powerpoint attachment from infecting an entire system and/or compromising the lives of activists on the field. These setups range from simple sandboxing to a QubesOS-style system. They are not a silver bullet for sure, but they would go a long way to mitigating this style of attack. And if this is the best a nation state actor like Iran can do/is willing to do at the moment against activists, that is good news for us because it means that protection against it is more affordable and more efficient than many of us would have realized.

rAugust 9, 2016 2:04 PM

@Dummy,

The best you click buzzards can come up with are links like that?

Foreign media, if that's what it is should open up github pages - it'd be more trustworthy if you're true motive is to swoon the security curious.

All it would take is a couple pulls and commits, and everything would be nice and open for global inspection. But here we are playing a cat and mouse game with suspicion and motive. I think the guy on the other thread asking for 'inspection' is potentially more believable and lethal than you.

rAugust 9, 2016 2:10 PM

@All & Also,

I forgot the name of it til just now, whoever asked about pdf viewers:

https://github.com/PaperCutSoftware/GhostTrap

"Ghost Trap - Ghostscript trapped in a sandbox - GitHub"

"Ghost Trap is a hardend distribution of the GPL Ghostscript PDL interpreter secured and sandboxed using Google Chrome sandbox technology. It's used to securely convert PostScript and PDF files from untrusted sources into images."

Don't assume I've verified the sources, I can't even verify my shoes are tied (I wear sandals).

jwh (real)August 9, 2016 2:52 PM

Wow, not cool, someone posted as the username I was using.

"Funnily enough the IP's would also suggest Iraseli links, how bizarre, probably the Iranians trying to Frame the Kosher government."

State funded sockpuppets are despicable.

GrauhutAugust 9, 2016 3:35 PM


Soooo many earnest voices here! Fascinating! :D

google.com/search?q=earnest+voice

youtube.com/watch?v=cFods1KSWsQ

jwh (fake)August 9, 2016 8:58 PM

@jwh (real): get a burner e-mail address and register the username here, if you want people to be sure it is "you". A small price for relative anonymity is anyone can use any username without registration.

@all: You really would think activists like these would be a lot smarter about not only computer security, but their own personal security. I wouldn't put it past these countries to hire assassins.

I would have thought they wouldn't travel with sensitive devices, would use multiple devices, use yet other disposable devices for accessing documents, etc..

Sure, the monetary cost might be high, it might be slightly inconvenient, but then when lives are at risk, so what?

As for the use of the term OPSEC, what is wrong with it? In this context, I think it is applicable.

rAugust 9, 2016 9:26 PM

@jwh (fake)

There are no verification emails, any dissidents or security curious reading his post are putting themselves at risk for various exploits.

Just make up an identity.
Sorry @Bruce.

rAugust 9, 2016 9:30 PM

@All,

And on the topic of foreign reporter/dissident defenses: diversify your holdings. If you can buy a MIPS or Intel phone, that may/may not help but it's better than getting hit with an ARM Specific exploit.

As a side note: the Asus Zenphone 2 is capable of running Windows XP, Windows 7 amoung other various OSs. It's another good way to cover your ESS. Intel SEAndroid + Linux Containers. Enjoy and GOOD LUCK.

Marcos MaloAugust 9, 2016 9:46 PM

Opsec is short for operational security. If your operation is gathering potentially embarrassing news about a government that doesn't respect freedom of the press, you need to take security measures to protect yourself, your sources, and in many cases, your friends and family. That's operational security. I don't get why anyone would consider it inappropriate in these circmastances.
-----------
A question for our OS specialists/aficionados: Would a grant from one of those pro-journalism foundations help develop a journalist/activist friendly OS/stack? It seems like the tools are out there, just not neatly packaged.

rAugust 9, 2016 9:59 PM

@Marshmallow (Marcos Malo)

I think your question about a custom stack/OS comes back to the things @Clive and @Thoth(?) have said:

#1 being that having any device is detrimental
#2 being that in certain cases throw away devices are more important than secure ones.

There may be other points to this, as to my comment about the ZenPhone 2 - I didn't meantion that it can run Tails and technically truecrypt if you have a validated kali-1.x iso.

Douglas McClendonAugust 10, 2016 1:47 AM

@Marcos Malo

A question for our OS specialists/aficionados: Would a grant from one of those pro-journalism foundations help develop a journalist/activist friendly OS/stack? It seems like the tools are out there, just not neatly packaged.

So, the thing is this- I have extremely strong opinions on this subject. On the one hand, the answer is yes- throwing millions of dollars at the problem would yield some forms of progress. On the other hand, my preferred/proposed/predicted solution involves no money, but the adoption of the understanding that U.S./F.C.C. "network neutrality" ensures a Free Speech based 'right' for every internet user to operate a server without discrimination by their ISP. There are many fine reasons that many educated people write off my attitude as basically delusional. That said, it's been nearly four years since I filed my 53 page complaint with the FCC (complaint ID # 12-C00422224-1). And my thoughts on the matter remain basically unchanged (despite the Snowden saga).

The nuanced justification for my belief centers around the idea of the internet as a Platform. And the snowballing power of Free and Open Source Software in an environment including Platforms that are basically available to *everyone*. I think the Linux community has done so well, because its Platform- any PC that happens to not be DRM locked down to preclude straightforward alternate OS install (*cough* PS4 class action *cough*)- is a Platform that literally every geeky high school in the country has access to without requiring they part ways with money they'd rather save for beer. Yes, I'm stretching things, but I hope you see my point. My point is that as long as ISPs are allowed to effectively tax server operators by charging them twice as much or more for 'business class' plans, then the necessary Broad Platform does not exist. Now sure, most ISPs won't bother to enforce their server prohibition terms of service in most instances. But think about the psychology of the geeky high school student foss developer. If they innovate and create an awesome piece of server software, they basically don't get to take pride in it with 'ordinary' parents. I.e. from the parents perspective, most users of the software would be people violating their ISP contract. It's got that air of dishonesty, like an old-school HBO descrambler circuit, or captain crunch whistle. If however the stigma associated with home server operation were unambiguously removed finally by a clear statement from the FCC, that innovator could proudly display to their parents how countless people on the internet took their contribution and benefited from it.

I truly believe that that change in Platform Psychology would get billions of dollars worth of innovation basically for free. Not to mention the advancement of important internet-as-free-speech principles that go hand in hand.

I love the cold, gloomy, and stark assessments coming from other comments here thus far. And while I think throwing some money (millions at least) at the problem might make some progress, I think the real issue is Free Speech as a Platform.

I tried my best to get the FCC to be forced to answer in stark terms what the precise relation between Free Speech and the Internet is. In my own mind, not having the option of communicating directly with others (necessitating one end acting as a 'server'), and thereby forcing people to engage with a 3rd party server operator (e.g. google for gmail, twitter for irc/chat, etc), is tantamount to removing Free Speech from the Internet. Your speech is only as free as the required server in the picture, and whether or not it's operator feels like silencing you that day/hour/minute based on their arbitrary whim.

Sadly I suspect the way things are headed, Facebook and Twitter, while they ought to be considered mere stars in a starry sky, will end up as some form of halfway regulated quasi-monopolies. Instead of, the internet behaving as it was designed, and having many competitors who had no server-tax barrier to entry slowing their innovation to a relative crawl.

$0.02... (because Winter's comment above I found depressingly insightful and sad). Right now there is basic unspoken understanding between the public, and the powerful governments and multibillion dollar megacorps. That unspoken understanding is basically 'we like things the way they are, and they aren't going to change. Look at Snowden and 422224.'

I mean seriously, how f'n weird has the whole Hillary home email server story been? I happen to know that it is a perfectly fine legal and moral thing to run one's own email server from home. Unfortunately I doubt the rest of the country understands that clearly. And of course, yes, it's still really f'n hard to run a home email server in any reasonably robust and secure way. But if the FCC came out tomorrow and said unequivocably that everyone has the right to try if they want to, then I'm pretty sure that a few dozen geeky high school students would manage to make something way more secure for political dissent involving free speech over the internet than Google will ever try to make. Because their motivation is cred and appreciation from users. Not selling intimate details of the psychology of their users to advertisers to satiate the stockholders of a multibillion dollar corporation.

Douglas McClendonAugust 10, 2016 2:10 AM

continuing... I also would mention, perhaps to my legal peril, that in my above hypothetical, yes, I realize that perhaps even a majority of the users of such innovation would be using the tech to engage in wanton copyright violation (though I think educational fair-use really ought to cover it all). The thing is, that I think when one weighs Values in the balance, there is just about no amount of those copyright violations, that could outweigh the benefit from having real amounts of Free Speech based dissent against governments and other bad actors. Likewise, much as I think Cannabis is as legal Celery (IANAL, but I have opinions on what the word Liberty means), I admit that there no doubt will be some number of Cannabis based fatalities involving vehicles, etc. But when one weighs Values using reason and looking at the Big Picture... I think one can see that free speech dissent is so much more fucking important that some cheapskates getting to listen to Metallica without further enriching Lars... Sigh... Napster was probably crap, just let us all have SFTP servers already.

gholiAugust 10, 2016 6:01 AM

I dot think , this is a good idea to point this to Iran because there is almost nothing about Iran in it.

gholiAugust 10, 2016 6:06 AM

Framing Iran??
its not a good idea to sue some countries like Iran , Russia or china
why you dont see israel and usa?

E.M.H.August 10, 2016 8:29 AM

LOL, nothing about Iran... save for IP addresses, the operators of the campaign being "comfortable with Iranian Persian dialect tools and Iranian hosting companies", the linking of the malware tools to an Iranian developer, the apparent discomfort the attacker had with Arabic when replying to Noura Al-Ameer, the fact that prior malware attacks against the same targeted Syrian opposition figures by Syrian regime linked groups did not exhibit any of these characteristics... yeah, nothing about Iran at all. :p

Dirk PraetAugust 10, 2016 9:07 AM

@ Marcos Malo

A question for our OS specialists/aficionados: Would a grant from one of those pro-journalism foundations help develop a journalist/activist friendly OS/stack? It seems like the tools are out there, just not neatly packaged.

I don't think any grants are necessary as, like you say, the tools are already out there and anyone can request inclusion of additional packages in TAILS if they meet the necessary requirements. Those who don't or are considered not useful or not ready for prime time yet is why a while ago I did some work on a small project called TAILS Candy, which allows you to do one-click installations of a number of additional apps in TAILS. Admittedly, I should take it back up again as I haven't upgraded it in a while and is probably useless for the current TAILS 2.5 .

But it would be kinda cool if some organisation would see fit to hand out a very generous grant to encourage porting TAILS to either PC-BSD or GhostBSD in order to get rid of its underlying Linux foundation.

rAugust 10, 2016 9:18 AM

@Dirk,

And the underlaying BSD foundation is all that much less maligned?

I'll look up ghostbsd, but I only see one in that family with little visible subversion.

I would be more interested in an ARM virtualization microkernel.

hey nony mouseAugust 10, 2016 11:08 AM

@Douglas McClendon :

    So, the thing is this- I have extremely strong opinions on this subject.

Two things we can note,


  • You are not realy addressing the question asked by @Marcos Malo.

  • This is atleast the fifth time you have mentioned your "53 page" complaint.


...

Dirk PraetAugust 10, 2016 11:31 AM

@ r

Have you checked to see if they were vulnerable to the long list of exploits just exposed to both fbsd and hbsd?

Since both PC-BSD and GhostBSD are based on FreeBSD, they're obviously vulnerable too. Although one of the fbsd devs end of July had said they're working on it, there apparently still is no fix and which is rather weird. The current work-around is disabling portsnap/freebsd-update and using svn or portmaster instead to download and create updated packages on a staging machine, then distribute those to other internal machines running the same release. Installing compilers on every machine is not too bright an idea either from a security vantage.

And the underlaying BSD foundation is all that much less maligned?

It certainly has less bloat, so a somewhat smaller attack surface. And Linus is not particularly anal about security related issues, which is a bit different in the xBSD ecosphere, especially on Theo's OpenBSD.

Nick PAugust 10, 2016 12:08 PM

@ Dirk, r

The statement from FreeBSD on that is linked in this thread. Thomas Ptacek's comment on top is a nice assessment of the situation. Any FreeBSD-based solution might not be trustworthy if they're running Core like that. Glad I held off on switching to BSD-based desktop. :)

rAugust 10, 2016 12:21 PM

@Nick P,

Wazzat? A cold wind out of the north west that you speak of?

A chilling effect?

Mr. Obvious (annoyed)August 10, 2016 9:27 PM

About the FreeBSD nastiness: no reason not to switch to OpenBSD if you're after security, not that it will be enough but it's a start if you're really aiming to give it a good try and don't think they (5, 9, or 16 Eyes, all the same) will spare manpower on you. And if they do (consider them abnormally shy) then consider that a victory ;)

Btw someone linked a very nice article on Faraday cages and I'll repost it because it was so good: please read (and use).

Thank you from the bottom of my heart to the original poster :)

Anyway if everyone in the world ditched Windows Whatever for Linux Mint (lowest bar possible) it would go a hell of a long way on its own towards making everything more awkward for Five Eyes (5E). Windows isn't even a joke, it's a stain in the pants of whoever runs it.

On "topic": Iran? Oh really, shucks that's "interesting" :P

Why is Schneier (or his replacement) trolling for Five Eyes (5E) yet again? Is Schneier running a honeypot for 5E bots? A honeypot for everyone else is pointless and thus not a valid option since 5E already know who "we" are and "everyone" knows they know and the 5E know that we know that they know that "we" don't give a shit and won't stop hating their ongoing destruction of America as well as Europe and Oceania.

Yup 5E is as un-American as it gets, even soviet communists and old guard nazis managed to be a tad closer to being American than 5E and the 5E know it's true :D

No wait! Now I realize why Mr. Schneier is doing what he's doing! He's trying to get kicked out of the TOR board because he realizes what a trap it is!

Clever, very clever, no rape fabrication needed for Schneier :)

Douglas McClendonAugust 12, 2016 5:26 PM

@hey nony mouse


dmc - "So, the thing is this- I have extremely strong opinions on this subject."

Two things we can note,

(1) You are not realy addressing the question asked by @Marcos Malo.

B.S. Not only did I address it with one answer, but I doubled down with some nuance and gave a second one as well.

On the one hand, the answer is yes- throwing millions of dollars at the problem would yield some forms of progress. On the other hand,

as for

(2) This is atleast the fifth time you have mentioned your "53 page" complaint.

I confirm the truth of your statement, but think you are making some misconstrued point (tying it to the aforementioned B.S.). That I've mentioned it at least five times is entirely consistent with the aforementioned strong opinions. I expect if I continue commenting here regularly, that within the next decade I'll mention it at least a dozen more times. Maybe more than a hundred. If you or the Moderator think there is something wrong with that, please try to explain it to me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.