Three Key Twitter/Iranian Cyber Army Links, and a Warning

Last Updated on Monday, 21 December 2009 01:10 Written by Jeffreycarr Sunday, 20 December 2009 03:39

The Dec 17, 2009 event was a tempest in a teapot, but to save you time and trouble, here are 3 links that tell you everything you need to know about what happened, what didn’t happen, and what the take-away should be.

• If you want to know what happened, and how it happened, click here.
• If you want to know what probably did not happen, in spite of the poster’s histrionics, click here.
• If you want to know what the most important take-away from this incident is, click here.

Having said all that, I am worried about what might happen on December 27, 2009, which marks the anniversary of Operation Cast Lead; Israel’s attack against Hamas strongholds in Gaza which resulted in over 1,000 casualties and a lengthy cyber war between State and Non-state hackers. December 27th (on or about) is also a Muslim holy day – the Day of Ashura, which commemorates the martydom of Imam Husayn.

For this reason, agencies and corporations who are high value targets for cyber attacks may want to review their network and physical security plans.

RBN servers support Tehran’s propaganda arm, the IRIB

Last Updated on Monday, 7 December 2009 02:21 Written by Jeffreycarr Monday, 7 December 2009 03:07

As Tehran struggles to retain its hold on traditional power it is struggling to grasp the power of untraditional media; i.e., Twitter, Facebook, YouTube and the like. Farnaz Fassihi’s article “Iranian Crackdown goes Global” in Friday’s Wall Street Journal does a great job in depicting to what length Iran is willing to go to keep change at bay including ordering agents of its Intelligence Service to monitor Iranian dissidents in foreign countries like Germany. Fassihi also writes that Iran’s Revolutionary Guard is using social media to identify and track dissidents online and in some cases confront them in person to squash dissent.

In order to understand new media and the social web, Tehran relies on the work of the Research Center of Islamic Republic of Iran Broadcasting (RCIRIB). The director of the IRIB is personally appointed by the Supreme Leader and representatives from Iran’s Judiciary, Parliament, and the office of the President oversee its operation. If you visit the RCIRIB website, you’ll see that there’s an English version. Don’t bother clicking that button because if you do all you’ll see are carefully selected articles like “I am Canadian: National identity in beer commercials“. Instead, just run the URL through an online translator, head over to this link and you’ll find several papers exploring “social capital” and many other research topics of actual interest to the Iranian government.

The real surprise for me was when I learned of the RCIRIB’s connection to Russian organized crime. Tehran has learned at least one thing about “social capital”; that its websites are vulnerable to DDoS attacks. A connection to an RBN server is going to help them avoid that problem according to what EmergingThreats.net RBN researcher James McQuade has told me in a recent e-mail exchange:

The Iranians turned to either the Russian government or organized crime for assistance because their servers are facing DDOS and DNS flood attacks from Iranian activists.  Such attacks are organized quite easily using simple tools that require no technical expertise on the part of the hacktivist (as occurred in the latter half of the Russia-Georgia War).  The Register reported on these events on June 22nd:

“Rather than using simple code, with automated viral botnets and the like, these efforts are largely being driven by hand. There are a number of simple scripts going around that can be downloaded and which continually reload the target Web sites in a browser window,” said Jim Cowie, CTO of security tools firm Renesys”

Consequent to the request, the RBN has configured at least two of their servers to provide name server resolution from www.crspa.ir (the CNAME forward entry on the RBN servers) to crspa.ir (a CNAME entry on the Iranian server which is an alias for www.rcirib.ir).  This allows for the resolution of the www.rcirib.ir web site during periods when its name servers (ns1.rcirib.ir and ns2.rcirib.ir), are unable to respond due to attacks by Iranian hacktivists.  Both of the rcirib.ir and crspa.ir domains are owned by The Research Center of Islamic Republic of Iran Broadcasting, which gathers intelligence on dissenters from the Internet on behalf of the crackdown.

As recently as April, the crspa.ir domain had its own name server (which is no longer in existence), but was probably on the same machine as ns1.rcirib.ir. The RBN are skilled at DNS tactics (revolving DNS, flux, etc.), and it will be interesting to see how they respond should their servers become engaged by the Iranian hacktivists.

For those of you who believe that the RBN vanished in November, 2007, it didn’t. It went dark shortly after a meeting between agents of the FBI and FSB occurred in Moscow. It remains a key part of the Kremlin’s Information Warfare strategy by providing the infrastructure for non-state actors to engage opposition groups in various cyber operations ranging from espionage to network attacks. However, this is the first time that I have seen it used to support an allied regime. Kudos to Jim and his fellow researchers for their ongoing work in tracking them.

UPDATE: The RBN is supporting two domains assigned to the IRIB (courtesy Secure Home Networks):

This was a bad idea on so many levels

Last Updated on Saturday, 20 June 2009 10:22 Written by admin Saturday, 20 June 2009 10:22

On the Weaponization of the Collaborative Web by Matthew Burton

Matt is a good man and a valued colleague and collaborator, but his rationale for engaging in a DDOS attack just fails on so many levels (some of which he himself mentions in his post).

My biggest concern is that as a self-identified past empolyee for a U.S. government intelligence agency, his engagement in an unauthorized computer Web site attack reflects on his former employer and on the U.S. government as a whole. Anyone engaged in collecting OSINT on U.S. gov employees will read Matt’s actions not as coming from a place of passion and sympathy but as the same kind of covert encouragement from State sources that we ascribe to the actions of Non-state hackers in geopolitical Web conflicts across the globe. This, of course, is NOT the case, but I’m sure that anyone reading this can see how easy it is to jump to that conclusion.

I’m glad that Matt’s final decision was to stop his attack. I just wish he didn’t make it in the first place.