Cyberattacks on Iranian Online Businesses Expose State’s Failed Digital Security Promises

Government Touted “National Information Network” by Promising Improved Digital Protections

At least 20 digital media and financial companies in Iran were targeted with DDoS attacks in February 2019, highlighting the government’s inability to deliver promised protections to citizens or stop the current round of attacks, the Center for Human Rights in Iran (CHRI) has learned.

Distributed denial of service (DDoS) attacks aim to make a website unavailable and are typically used when the attacker is trying to prevent dissemination of information released on a website.

In this round of attacks, the anonymous assailants also aimed to carry out financial extortion against company owners, including by demanding Bitcoins, a form of electronic currency.

At present, only one of the companies has been able to bring their website back online.

CHRI has also learned that after the Iran-based tech news website Fanavaran published a report about the attacks, an individual using the pseudonym “Master” contacted the reporter and the editor and threatened to launch a DDoS attack against the site if the report was not deleted.

When Fanavaran refused to comply, its website became inaccessible under a new round of DDoS attacks, and remains down at the time of this writing.

To date, the only response from the Iranian government has been a text message from the FATA cyber police force warning some company owners that they could come under attack: “Warning: There are varied and widespread DDoS attacks against Iranian businesses with the use of millions of [botnets]. We advise you to update and upgrade your tools.”

Attacks Highlight Inability of NIN to Protect Iranian Users

Since 2016, officials of the Ministry of Information and Communications Technology (Telecommunications Ministry) have been trying to assure the Iranian public that the state-controlled National Information Network (NIN), launched that year, provides increased protection against DDoS attacks.

NIN, which gives the Iranian government newly, expanded abilities to control users’ access to the internet and monitor their online communications, also separates domestic internet traffic from international internet traffic, allowing the state to cut Iranians off from the global internet while maintaining access to state-approved domestic sites and services.

In August 2016, Esmail Radkani, the assistant in charge of network management at the state-run Telecommunications Infrastructure Company (TIC) stated that NIN’s DDoS protection and anti-phishing modules would “guarantee” security.

But Sajad Bonabi, a TIC board member, told Fanavaran on February 17, 2019, that, “These services are not available on NIN, and therefore the private sector cannot get active in this field.”

Speaking about the DDoS attack his company suffered, Adventure CEO Alireza Aghasi told CHRI that part of the protection promised by the Iranian government would require hosting data centers inside Iran, which is expensive and cumbersome.

“Infrastructure data centers in Iran are very expensive and their quality is not satisfactory and therefore in order to ensure our protection we have to do everything ourselves,” he said.

Aghasi added that his company’s current situation in Iran is “painful” because he is unable to get the digital security he needs inside or outside Iran.

“If we transfer to a foreign host server it will cause two major problems,” he said. “First, our server might be shut off at any moment because of the sanctions on Iran.”

“Second, the quality of access to the international internet is very poor in Iran,” he added. “Communications is very slow on it and as a result, our services will suffer.”

Companies that have opted to host their data outside Iran have seen their services suddenly cut. For example, in January 2019, Digital Ocean, a major American cloud infrastructure provider, informed its Iranian clients that it was cutting off service due to US sanctions.

Masoud Tabatabaie, CEO of Ali Baba travel site, said in an interview with the tech website Webmasterfa that the Iranian government has not done anything to prevent more attacks.

“We have contacted the Maher center but so far nothing major has been done to deal with these attacks,” he said. “Perhaps if all the businesses that have been victims of such attacks unite, maybe then something could be done to stop them.”

“Maher” is the Persian acronym for the Computer Emergency Response Team Coordination Center (CERTCC), which operates under the Telecommunications Ministry.

Are Telegram Client Apps Facilitating Cyber Attacks in Iran?

Farhad Fatemi, the technology vice-president at Arvan, an Iran-based web hosting company used by many of the businesses targeted in the latest round of attacks, told the Islamic Republic News Agency that during the week of February 18, at least 20 major Iranian companies had been attacked.

They include Zarinpal, a financial services company; Ali Baba, which sells airline, train and bus tickets; and the Fanavaran tech daily. To date, only Zarinpal has succeeded in warding off the attacks.

The head of the state-run Information Technology Organization (ITO), Amir Nazemi, indirectly suggested that Hotgram and Telegram Talaeii, Iranian-made client apps based on the Telegram messaging app, could be facilitating the attacks.

He told Fanavaran on February 17, 2019: “A lot of IPs were used to carry out these DDoS attacks and we strongly suspect that the cause is an infected app, which has turned mobiles and computers into zombies that attack businesses.”

Asked if he was referring to the Iranian-made Telegram client apps, Nazemi responded, “Yes, this is one possibility but we are carrying out more investigations to prepare a more complete report.”

CHRI’s research has revealed that Telegram Talaeii and Hotgram could be used to facilitate DDoS attacks.