At first hours of January 5, a popular anonymous Iranian dissident account called Jupiter announced on Twitter that his friends had killed Abolqasem Salavati, a maligned magistrate nicknamed the “death judge”. The tweet went viral and thousands of jubilant people flocked to the account’s Twitter space to thank them for murdering the man responsible for sentencing hundreds of political prisoners to death.
Soon, however, a few participants expressed doubts about the veracity of the claim. They were cursed and kicked out of the room, as the host insisted, “Tonight is the party!” while repeatedly encouraging viewers to go viral. The following day, activists on the ground and Iranian media confirmed that Salavati was alive and well. Several experts suspect Jupiter was a cyber operation by the Islamic Republic of Iran to distract people, while the Iranian government executed two protesters on the same night as the Twitter space.
Within its borders, the Iranian regime controls its population through one of the world’s most rigorous internet filtering systems, physical repression and mass arrests carried out with impunity. However, the IRI is vulnerable beyond its physical and virtual borders, as the regime struggles to contain the rhetoric and silence dissenters. To counter oppositional narratives in the West and among national activists armed with VPNs online, the IRI’s cyber-army deploys multi-faceted, underhanded and sometimes clumsy tactics. With the ongoing political turmoil in Iran, old cyber tactics have been intensified and new tricks aimed at distracting, discrediting, distorting and sowing mistrust have come to the fore as the regime finds itself at a critical juncture.
Desperate times, desperate measures
Among the tactics used by IRI cyber operatives, colloquially known as Cyberi, is old-fashioned hacking. Iran-linked hacker group Charming Kitten gained notoriety in 2020 for its spear-phishing attempts against journalists, academics and political pundits in the West. The group was recognized for their signature strategy of impersonating journalists or researchers and feigning interest in the work of their targets as a pretext to set up interview requests embedded in a spear-phishing link . Recent UK government reports National Cyber Security Center and security company Beggar found that such spear-phishing activities by cybergroups TA453 and APT42, which are affiliated with Iran’s Revolutionary Guard Corps, are increasingly widespread. Last month, popular anti-diet account RKOT claims having received a request for a geolocated interview at an IRGC office in Shiraz from an individual claiming to be a journalist from The New York Times.
According to Amin Sabeti, founder of CERTFA, a cybersecurity collective specializing in uncovering Iranian state-sponsored cyber activities, these operations have changed their methods over the past few months as most targets of interest are aware of the threat. and learned to protect themselves. harpooning. Instead, says Sabeti, they are now using a “domino effect” strategy by aiming for low-key targets, whose credentials they harvest in order to build trust and gain access to higher-profile targets in their network. . Earlier this month, for example, Iranian-Canadian human rights activist Nazanin Afshin Jam said that she received a spear-phishing link from a trusted colleague who was hacked.
“Right now they’re going after anyone they care about, in regards to this revolution, especially people who work in nonprofits,” Sabeti says.
Notably, some of these state actors establish their credibility and trust over time by posing as anti-regime voices and ardent supporters of the protest movement, or by building relationships with targets. An account by the name of Sara Shokouhi was created in October 2022 claiming to be an academic from the Middle East. The account has spent months bolstering opposition voices and writing heartfelt tributes to the demonstrators before finally to be out by Iranian experts as a state-sponsored body phishing operation.