Dear readers in our last article we describe how famous hacking group Anonymous was first formed from the website 4chan and went on to become famous for Hacktivist attacks across the world. In this next article we talk about Anonymous ongoing campaign against the Iran government and name some of the sites hacked by anonymous
Iran first became a target for Anonymous in August 2022, A twitter account claiming to be part of Anonymous (@SwordofAnon) released a video in Arabic claiming they had proof that the IRGC Quds Force had been supporting and protecting high level members of Al-Qaeda in Tehran, we wrote article at the time and question if this was a single attack or start of campaign.
A month later in September protests across the country begin when Mahsa Amini, a 22 year old Kurdish Iranian traveling from Kurdistan to Tehran to visit relatives died after being held in police custody for not wearing a hijab properly. Soon after the protests began the Iranian government began to target the internet blocking access to social media sites and messaging apps, Netblock a internet observatory group stated that it was “the most severe internet restrictions since violent November 2019 protests over the sudden rise in the price of gasoline”
Hacked by Anonymous #OpIran
Four days later on 20 September the Anonymous collective announced the launch of cyber operations against the Iranian government with the words “We are here and we are with you! #OpIran Engaged. Expect Us!”
Soon after hackers claiming to be from Anonymous began targeting government website and national online infrastructure.
Some of the first targets included data transmission company Asiatech, Iran Tv, and Farsnews. In one hack more than 300 webcams were taken over and video released showing protests in several Iranian cities.
Since then the websites have been on and off, indicating a struggle between the hackers and Iranian cybersecurity.
Attacks against Iranian infrastructure continued, on the 25 September @KromSec announced they had attacked multiple websites including The Iranian Assembly, The Islamic Azad University, The Ministry of Economy and Finance, The Ministry of Petroleum and Farsnews. The group claimed to have broken into the database of the Iranian Parliament obtaining the personal information of lawmakers. On a YouTube video posted by the group they stated “The Iranian parliament supports the dictators when it should support the people, so we are releasing the personal information of all of them”.
Later on the 29 September the same group breached Sharif University of Technology database and took 9GB of information, it should be noted that the group refused to release information on students and only targeted the universities administration.
The Iranian government have denied that their sites have been effected however independent observers online have refuted this claim. Emiel Haeghebaert a threat intelligence analyst for Mandiant was quoted saying “Mandiant can confirm that several of the services claimed to have been disrupted have been offline at various points in time, and in some cases, remain unreachable,” he continued “Overall, these DDoS and doxing operations may add to the pressure on the Iranian government to pursue policy changes,”
On Anonymous’ involvement, Haeghebaert noted it was “consistent with activity” previously credited to affiliates of the organization. Earlier this year, as stated in our last article Anonymous launched a number of cyber attacks on Russian entities in response to Moscow’s attacks on Ukraine.
Bypassing internet restrictions
As the protests grew the people of Iran were subjected to even greater internet blackouts, Soon Netblocks was reporting a nation-scale loss of connectivity on MCI, Iran’s leading mobile operator. In response Anonymous began to post guides on how to avoid censorship, telling the citizens of Iran how to use tools such as VPN and TOR.
In one instance a telegram channel with 5000 members shared details about open VPN servers to help citizens bypass the internet blocks while a separate group distributed links to educational resources on the use of proxy servers, which tunnel traffic through a constantly changing community of computers run by volunteers to make it difficult for authorities to restrict traffic.
Web security firm Cloudflare have documented multiple examples of disruption to telecommunications networks in Iran. “It’s been really hard to be in touch with friends and family in Iran. The internet is messed up here so sometimes we can’t communicate for days, I have limited access to Instagram so I use that for the time being to contact people” a young professional from Tehran was quoted as saying, he added that he and his friends rely on VPNs to access social media platforms.
Several videos and posts widely shared by Iranian activists on social media read “THEY ARE SHUTTING THE INTERNET TO HIDE THE KILLING. BE OUR VOICE”
Sites continue to be hacked by Anonymous
The attacks on Iranian government infrastructure continued, the account @Anonymous OpIran hacked the content delivery network Abr Arvan claiming it helped the government to filter and restricted the internet, while the Anonymous group GhostSec attacked the Samand Rail blocking remote access to their systems and stopping their internet access.
Mahan Airlines also became a target of Anonymous after its activities in support of the IRGC Qods force were exposed in November 2021 by a group calling themselves Hooshyarane Vatan.
Women of Anonymous
Anonymous is a collective of hacktivist that has no leader or central control, in the past Anons as the members of Anonymous call themselves, have been shown on videos wearing masks and hoods, with the individuals in these videos appearing to be male, with Masha Amini’s death and the ongoing campaign against the Iranian government this has changed, the campaign has seen an increasing number of female anons on videos and among Anonymous affiliated accounts. Before most Anonymous accounts used a image of a dark suit and a question, more symbols of Anonymous are now being used.
An interview with an Anon
When we decided to write this article we reached out to Anonymous to ask them question, an anon called @wond3rghost who is a member of GhostSec and founder of the New Blood Project was happy to answer.
ICNA – How long have you been Anonymous or did protests encourage you to join?
@wond3rghost – I took part in Anonymous at the end of 2020.
ICNA – If you were Anonymous before protest what area did you target?
@wond3rghost – Where it have injustice, massacre, oppression.
ICNA – What skills do you need to be anonymous?
@wond3rghost – In terms, Anonymous doesn’t need any skills. Its rather a common goal we all share. Everyone can be Anonymous, some are activist and other are “hacktivist”.
ICNA – Did you get your skills from university or did you learn online?
@wond3rghost – Personally I am a self-taught person, I learn by myself.
ICNA – How did you join anonymous, what was the process?
@wond3rghost – I started in a group dedicated to new member that we call #OpNewBlood. Then some months after I joined my actual group GhostSec.
ICNA – How do anonymous verify other are anonymous?
@wond3rghost – We do not verify identity of other, we use our judgement to determine whether or not another member represents our collective.
ICNA – How will you escalate activity if crackdown continue?
@wond3rghost – We will follow it. Each day we are more, and they are less.
ICNA – Is there direction to your targets from all anonymous or do you choose own direction?
@wond3rghost – I would say that in general the target is anything related to government, but some specific targets are also set in several subgroups.
#OpIran goes on
Six weeks on from the death of Masha, Anonymous show no sign of slowing their attacks, on 2 November the Salehoon News website was hacked and as we finish this article only today the email server of the electronic service portal was hacked and documents released related to internet filtering and restrictions.
It remains to be seen how long the OpIran campaign will continue, but what is sure is that in the words of one Anonymous account
We Don’t Forget
We Don’t Forgive
We Are Here