Black Hat Las Vegas: Researchers detail efforts against Iranian dissidents

Two independent cyber-security researchers took the stage late on Thursday at Black Hat Las Vegas not to explain infosec vulnerabilities or to discuss hacking, but to diagram how they believe groups, possibly controlled by the Iranian government, are targeting dissidents inside and outside Iran.

Collin Anderson and Claudio Guarnier, who also is an Amnesty International technologist, spent several years investigating how each group functions. They detailed how Cleaver (also called Ghambar), Sima, Rocket Kitten and Infy have over the last several years attacked a variety of dissidents using everything from website defacement to malware. The goal is to suppress anyone attempting to undermine the Iranian regime.

The two also discussed the recent release of phone numbers of Iranians using the Telegram messaging app saying the act was not a hack, but an “excellent intelligence operation”.

The four groups singled out how each group brings different skillsets and capabilities to the battle. Anderson described Cleaver as possessing a rudimentary toolkit, which it is steadily improving, that it uses to hit Iranians living outside the country along with human rights activists. Its attacks run the gamut from simply damaging computer systems to delivering the Blue Screen of Death to its targets.

However, Cleaver's weaknesses include poorly worded social engineering messages which make it less effective.

This is corrected by Sima, which Guarnier described as having the best social engineering skills and an excellent command of English making its messages difficult to pick out. Sima has targeted women and human rights activists, but luckily its back-end infrastructure is poor and frequently breaks down while delivering an attack.

Possibly the most effective of the bunch, according to the two, is Rocket Kitten. It has struck Iranian activist media groups living outside the country using Powershell to inject and execute code.

Rocket Kitten also may have been responsible for the Telegram attack. Anderson said 20 million of Iran's 80 million citizens use the service to send encrypted messages.

Anderson said in no uncertain words that Telegram was not hacked, but that Rocket Kitten managed to “abuse” the messaging app to discover the names.

Guarnier had some strong words for Telegram execs. “It was wrong. Telegram knew of the gathering of numbers, but did not tell the users,” he said.