• United States



In Iran, new attack escalates ongoing cyberconflict

Mar 25, 20115 mins
CybercrimeData and Information SecurityGovernment

A cyber-attack linked to Iran this week is the latest in a string of cyber-events that some say represents a new step in a shadowy and long-running war between the Iranian government and those who criticize it on the Internet.

A cyber-attack linked to Iran this week is the latest in a string of cyber-events that some say represents a new step in a shadowy and long-running war between the Iranian government and those who criticize it on the Internet.

Comodo Group, a seller of digital certificates, said that an unnamed partner was compromised on the evening of March 15. The attack was worrying because the kind of digital Secure Sockets Layer (SSL) certificates that Comodo sells are an important part of the infrastructure used to secure the Internet. These certificates are encrypted files that tell the browser it’s securely connecting with the real, for example, and not an imposter site. They help prevent phishing attacks, but in a country like Iran, they can be critical to dissidents, helping to keep private communications safe from prying eyes.

The attack was well-planned and carefully executed, but according to Comodo, it was quickly detected. Massimo Penco, a vice president of Comodo based in Italy, said he received an alert around 7 p.m. on March 15 that something unusual was going on.

“Someone issued a certificate for Google, but we didn’t have a request from Google,” he said. Within 15 minutes of this happening, he was on the phone asking colleagues in New Jersey to lock the system down, he said. The certificate for Google was revoked within an hour or so, along with eight others that had been issued in the meantime.

Comodo doesn’t know who was behind the attack. In the hacking world, it’s standard practice to hop from computer to computer as a way of hiding one’s tracks. And a secretive country such as Iran is unlikely to share information with Western investigators.

Still, Iran has the means, motive and opportunity to pull off an attack like this in order to spy on supposedly secured communications between Iranians and the servers used by companies such as Google, Skype and Microsoft, all of whose certificates were spoofed in the attack, said Melih Abdulhayoglu, Comodo’s founder and CEO. “All things point to the Iranian government and their newly founded cyberwarfare department,” he said.

Representatives with Iran’s Permanent Mission to the United Nations were unable to comment Friday.

The Iranian government has been interested in monitoring and controlling its citizens’ Internet use for close to a decade now, said Mehdi Yahyanejad, founder of the popular Iranian discussion site Balatarin.

But after the founding of the country’s cyberpolice unit in late 2008, Iran began to flex some muscle. Yahyanejad believes that Iran was behind a complicated February 2009 attack that wiped out his website and kept it offline for three weeks. He suspects state involvement, because news of the attack was published on the state-sponsored Fars News Agency website within hours of the attack — before even Yahyanejad himself had had time to figure out what had happened.

With that attack, the hackers used social engineering techniques to trick Yahyanejad’s Internet service provider into giving them unauthorized access to his hosting account. And like the Comodo incident, it was meticulously planned and well-executed. Since 2009, Balatarin has been hit with numerous distributed denial-of-service (DDoS) attacks. The most recent, in January of this year, was unprecedented in power.

Iranian dissidents have a lot to worry about on the Internet these days.

E-mail and Web-based malware, along with distributed denial-of-service attacks, are regularly used parts of Iran’s toolkit, Yahyanejad said. The DDoS attacks flood websites with useless requests, knocking them offline. They appear during protests or times of unrest, often as a way of muffling protest on the Internet. “They want to make sure that during those days the videos don’t get out quickly enough, [in order] to reduce the media impact of those demonstrations,” he said.

In the past few years, a group calling itself the Iranian Cyber Army has surfaced and defaced websites belonging to Twitter, Chinese search engine Baidu, and just last month, the Voice of America. Nobody knows who the Iranian Cyber Army really is, but Yahyanejad believes that they could be state-sponsored too.

With Iran’s Green Revolution protests now just a memory, government opposition now lives on the Internet, not on the streets of Tehran. These latest attacks on Comodo’s digital certificates are a next step, made necessary as companies such as Google have pushed more and more users to secure, HTTPS websites, which are much harder for the government to monitor. “It’s an indication that they’re taking cybersecurity seriously as a theater of conflict,” said Cameran Ashraf, an Iranian-American digital activist.

Alex Stamos, a U.S. computer security consultant who is a founding partner at ISec Partners, agrees that the stakes are rising, in Iran and elsewhere. “The major American cloud computing providers and Web service providers — the Googles and the Facebooks and the Microsofts — are in a very quiet war with totalitarian governments to keep access to their services available and to keep those people safe,” Stamos said.

The lines in this battle are not clear. Are the hackers completely independent, or state employees? Do they operate with the tacit approval of the Iranian government? These questions are hard to answer. But both Comodo CEO Abdulhayoglu and Balatarin’s Yahyanejad believe that the attacks that hit them were methodical and well-planned enough that it was likely they were the work of the Iranian government.

“They’ve started going after the Internet,” Ashraf said. “It’s the last bastion.”

Peter Sayer, in Paris, contributed to this story.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is