The Iranian Cyber Army

In june 2009, the street of Tehran erupted in violence after the reelection of President Mahmoud Ahmadinejad. Reformers suspected voting fraud after the incumbent president received nearly 63 percent of the vote. Iranian authorities, however, cracked down hard on the protesters, killing at least 20 people. Since Iran is an authoritarian regime that keeps a tight grip on the domestic media, protesters used the Internet and social networking sites, such as Twitter, to spread news of the protests to the outside world. In fact, Twitter played such a vital role that the U.S. State Department asked Twitter to delay a scheduled maintenance shutdown to avoid disrupting the flow of information out of Iran. As police arrested hundreds of protesters on the street, the unrest moved into cyberspace. Activists launched denial-of-service attacks on 12 Iranian government Web site, including new services, the ministry of foreign affairs, the ministry of justice, and the national police. Prior to this crisis, the Iranian government had limited its peoples use of the Internet by blocking access to Facebook, YouTube, and the BBC. Many people believe that in the wake of this cyber space battle, the Iranian government began to take a more aggressive stance. On the evening of December, 17, 2009, users logging into Twitter were redirected to a site showing a picture of the Iranian flag and a message: This site has been hacked by the Iranian Cyber Army. An email address was posted under the flag. The attack was followed by assaults on popular Web sites including Baidu (The Chinese Google) and the internal Iranian targets. The message Stop being agents for those who are safely in the U.S. and are using you appeared on the Web sites of the two main Iranian opposition groups. After the initial attack, many people wondered just who ran the Iranian Cyber Army, what their purpose was, and how they were connected to the Iranian regime. A PBS Frontline episode suggested that the Iranian government has been actively recruiting hackers inside Iran and importing technology for the operation through Dubai. Although no definitive proof is available to Western journalists, Frontline and others have pointed out that the Iranian Cyber Army carries out attacks with impunity and that the attacks are in line with the goals of the current regime. Additionally, in May 2010, a senior officer in Irans Revolutionary Guard Corps (IRGC) claimed that the IRGC had succeeded in establishing the worlds second largest cyber army. However, the officer did not specifically name the group. Then, after a September 2010 assault on TechCrunch Europe, a popular European technology blog, the Internet security company Seculert (a company that builds software to detect cyber threats affecting corporate networks) discovered the Iranian Cyber Army had used an exploit kit (a package of methods designed to infect a computer with malware) such as those sold by cybercriminals. During the attack, visitors to the TechCrunch site were redirected to a server that installed malicious software. Seculert was able to trace the exploit kit to the Iranian Cyber Army because the email address on the administrative site of the exploit kit and the one that had been posted under the picture of the Iranian flag were the same. Seculert found that the Iranian Cyber Army was running a botnet, a network of computers often controlled through malware by one source. Typically, botnet owners rent out space to cybercriminals, such as spammers, to generate revenue. But what was the Iranian Cyber Army doing with one? Seculert speculated that the group was jumping from simple defacement tactics to more serious cybercrime. The statistics page on the exploit kits administrative Web site indicated that the

botnet was infecting 14,000 new PCs per hour. By the time Seculert made its discovery and reported it to law enforcement, the system had already infected an estimated 20 million computers. In November 2010, shortly after the botnet discovery hit the news, the Iranian Cyber Army hacked the Web site of Farsi1, a popular satellite channel that airs Latin American soap operas dubbed in the Persian language. Iranian officials had previously condemned the channel as a tool of the Wests cultural invasion and corruption of Iranian morality. The message posted on the hacked site read: Rupert Murdoch, the Moby company, the Mohseni family *the three co-owners of the channel], and the Zionist partners should know that they will take the wish to destroy the structure of Iranian families with them to the grave. This message, however, may not have simply been one threat in a larger intimidation strategy carried out by an authoritarian regime. Its quite possible that while visitors sat curiously reading the message, their computer was being bombarded with malware so that it could be hijacked and used for more destructive purposes. Yet exactly what these purposes will be and whether they will culminate in a cyberwar with the West is yet to be seen. Cyberterrorism is certainly not unique to the Middle East. In an April 2010 survey of information technology (IT) security managers at U.S. federal agencies, over 30 percent reported that their systems had been attacked in the previous year by overseas groups or terrorists organization. Many of these agencies and departments deal with national security, including defense, foreign policy, and homeland security. Cyberterrorists believed to be from China, Russia, and other countries have penetrated the U.S. electrical grid and implanted software that could be triggered to disrupt the system, if not detected. And a former computer engineer at Fannie Mae planted malicious software that would have disabled monitoring alerts and all login data, deleted the root passwords to some 4,500 servers, and then erased all data and backup data. If successful, this attack would have wiped out millions of mortgage records. Fortunately, the planned attack was uncovered in time to prevent any loss of data.

Questions: 1. Is it ethical for the government of a country to use cyberterrorism tactics against opposition groups? Or another country? 2. What measures must a. Private b. Public c. Government run organizations Put in place to protect against future cyberterrorist attacks?