IRGC Hackers Target Iranian Journalists Based Abroad With Malware Campaign

Hackers working for Iran’s Islamic Revolutionary Guards Corps (IRGC) targeted journalists based abroad with a malware campaign launched on November 6, 2017. An investigation by the Center for Human Rights in Iran (CHRI) showed that the malware, targeting Mac computer users, was sent in a ZIP file claiming to include an “article about women’s rights.” Upon being opened, the file released the malware onto the victim’s computer.

Malware attacks are heavily used in Iran to monitor, take control of, or block accounts. The IRGC hackers targeted at least three journalists based in Europe and the United States working for the privately owned Iran International TV, as well as an Iranian human rights lawyer in the U.S. Most of the victims of the IRGC hacking campaign asked not to be identified for security reasons. One journalist who agreed to speak on the record told CHRI that he was suspicious of the email containing the file as soon as she saw it.

“It was a little fishy because I did not recognize the name of the person who sent me the file. It was a ZIP file and not a Microsoft Word document. I have been a phishing target many times, so I’m very careful about opening attachments,” said U.S.-based journalist Niusha Saremi.

An Iranian doctor at an unknown location and another journalist in the U.S. were also victims of the malware campaign. The hackers working for the IRGC also attempted to intercept two-step verification codes sent to the mobile phones of at least 10 reformist political activists in Iran between October 31 and November 4, 2017. Hackers with access to Iran’s telecommunications infrastructure are able to intercept two-step verification codes, making those who use their phones in Iran to receive their email passwords most vulnerable to hacking attempts.

The malware file identified by CHRI attempts to create a folder named “content” in the Mac computer’s “Library” folder and copy over two files from the hacker’s server: a .sh file (shell script file) and a Microsoft Word file. After the two files are downloaded, the malware will install “Launch Agents” in the Mac’s operating system and enable digital spying on the victim and his or her contacts.

The malware file allows the hackers to remotely control the victim’s computer through a VNC server and monitor all communications. Virtual network computing (VNC) software enables users to remotely control other computers through a network connection. Keystrokes and mouse clicks are transmitted from one computer to another regardless of their location and recorded.

“Cyber attacks carried out by Iranian hackers are not very sophisticated and require human action to be initiated. Therefore, the best security measure is to always be suspicious, especially if a sender asks you to open a file,” a cybersecurity expert, who requested anonymity for security reasons, told CHRI. Collin Anderson, a Washington, DC-based internet security expert, first reported on the trend of increasing attacks on Mac users in February 2017.

“My fear is that many people switched to Macs because they were concerned about malware and security issues, but doing this alone will not solve the issues. That’s why this report is serious: it’s informing Mac users that they still have to be vigilant because now Iranian groups are also targeting them,” he told CHRI.

The Iranian regime views the cyber arena as an active warzone with the U.S. and its allies, and in recent years has invested substantial efforts in it, for both psychological warfare and physical sabotage of Western infrastructure.

The importance that the Iranian regime places on the cyber arena was clearly illustrated in statements by Gholam Reza Jalali, director of the Passive Defensive Organization, which is the regime’s emergency system plan and which is tasked with managing the civilian cyber system. In August 2012, he said: “The world is currently heading towards cyber warfare.”

In an attempt to centralize cyber activity, regime organizations began recruiting hackers for a “Basij Cyber Council.” In November 2010, Tehran IRGC commander Hossein Hamedani stated that “the Basij Cyber Council has trained 1,500 cyber-warriors who have assumed their duties and will in future carry out many operations.”

In recent years Tehran has shown offensive cyber-warfare capabilities, as manifested by its hacking of opposition websites inside and outside Iran, and websites of foreign media outlets it considers hostile such as Voice of America and Radio Zamaneh, and even government websites in the Gulf, UK, and U.S., and well as websites in France. In recent years, the Iranian Cyber Army has hacked websites associated with Iranian regime opponents, mainly those who operate abroad.