The Iran Cyberwar Collection

July 22nd, 2009 Leave a comment Go to comments

Due to its length and focus, we have copied the entire blog series about the Iran Cyberwar here, in order, for your reading ease.

 

Please feel free to comment and to permalink here.

 

It is now evening on June 14 at the US Eastern Time Zone. This is the evening of the first day after the Iranian election. Here are some information points from a Cybersecurity and a Cyberwar points of view. Firstly, rumors started flying about 20 hours ago that Iran has shut off service to the rest of the world, and in particular, to social networks such as Twitter, Facebook and Myspace. Here is a small sampling of the traffic we have been seeing and their origination points:

 

 

Preamble

 

One of the first related tweets, giving a hint of trouble in Iran:

19:29 06/13/09 (all times GMT) sahibmirza: it was a rigged election in Iran and its time for regulars to hit the road.staying away is not an option any more.NO to ahmedinajat.

19:30 michael_SWC: Ahmadinejad Attacks Foreign Coverage of Iran Election (http://cli.gs/AuNnS2) <– first rumored accusation against foreign press

19:30 gossiptest: Gossip News- Riots Break Out In Iran Over The Re-Election Of Ahmadinejad [Iranian Elections]: Protes.. http://tinyurl.com/mbmh28 <– first rumors of riots in Iran

19:30 @librarygrape Committee of Ayatollahs urge that Iran election be invalidated http://bit.ly/2ZBNIi #newsjunkie #dnj #iranelection <– first news of Election Board being demanded to invalidate elections

19:32 my66: Iran Election Rigged? Mousavi Accusations Land Him In Prison http://tiny.cc/GMM4V <– first rumors of Mousavi arrested

19:34 tangesq: Reports and vids coming out of Iran are troubling: election monitors crying fraud, 50-100 dead, Mousavi possibly under house arrest <– first report of deaths in riots

19:35 vlfuller: For those at all interested in the elections in Iran, check out the photos here. http://bit.ly/S66Af: http://cli.gs/rTL9v0 –Share this news: http://bit.ly/eVVY2 (http://www.flickr.com/photos/mousavi1388/page15/ ) <– first picture of violence transmitted on Twitter / Flicker

 

 

20:19 khawkins: Curious why the media isn’t covering the events in Iran – the world’s most important story since the US election http://tinyurl.com/nlu3od <–first complaint about "traditional" news outlets not covering the aftermath of the Iran elections

20:25 VOMC: Mobile phones, Facebook, YouTube cut in Iran as election results spark riots http://tinyurl.com/lclple <– first report of social media sites being cut off

p20:42 SMacLaughlin: @jeffjarvis Best coverage in Iran coming from @jimsciuttoABC — The revolution will be tweeted #iran <– first use of the phrase "The Revolution will be Tweeted"

03:24 AM 6/14/09 jonjanego: It sounds like iran is playing at internal cyberwar – shutting down internet, cellular services. Interesting reaction to ‘open’ elections! <– first rumor of Internet shutdown in Iran

The Battle For Network Control

 

Thanks to our friend Richard Stiennon (see his blog at http://threatchaos.com/), we came across the Renesys site that we hope to be able to show in this blog in the near future.

 

BGP and Internet Resiliency

 

If you read it carefully, it seems that Iran DID shut down its outbound Internet access for some time, but apparently forgetting about the resilient

"…[Internet] excellence can be measured in such terms as responsiveness, scalability, resilience to disruption, and ability to adapt to changing needs…" - Vint Cerf, one of the three "fathers" of the Internet said about Internet resilience:.

nature of the Internet (and in particular the BGP protocol) that allows traffic to re-route, thus letting traffic out through Turkey (the country, not the beast).

 

 

 

 

First Datum about Effecting Infrastructure:

20:06 patrickodowd Ayatollahs Call for New Elections, Telephone Cut Off Tehran, Mousavi Arrested – http://bit.ly/E1fTM <– first report of Telephone shutdown

 

Cyberwar Begins

And while report of Iran government attacks using DDoS against Mousavi started 3 days before the elections, the first report of DDoS attacks after the elections and against government sites started only at 18:00 GMT on June 14:

#iranelection Web-based DDoS of www.ahmadinejad.ir not a great idea if you still want there to be net for tweets out of Iran

And that was followed by a twitter-wide "call for action" to attack sites at Iran, just about an hour later:

@nzanjani: help crash iran’s leading hardline newspaper! click http://tinyurl.com/nlkkxu and leave open! #iranelection DDoS 4 freedom :-)

and

mediamadam: http://is.gd/11Pyy Iranian adm website hacked :) Please, where´s my reverse engineers worldwide? HackIran.. <– examples of network Hacktivism

Lest we think this is all one sided, here is reported attack from Iran against TehranBureau.com. TB is hosted by GoDaddy, according to Whois reports. And they Tweeted the following:

00:26AM @tehranbureau ‘webmaster says Iranian govt overloading us w/ requests to disable our site: "denial of service attack"’ #iran

Cyber Misinformation

StopAhmadi: "I am reading tweets from ppl that most likely just want to spread misinformation. Plz easy w/ RT’ing those. #iranelection"

And example of reported account hacking:

xxx My twitter was hacked. am back in again. they are shutting down all internet services. #Iranelection

The instructions are getting more and more specific (xxxx are mine to remove reference to tools):

zerodamage: There’s a bit of a cyber war taking place in Iran right now. People are using xxxx.com with 1 second refreshes to DDOS. #iranelection

While some more … thinking.. minds are writing:

kenschafer: Before you get caught up in the "hey let’s DDOS Iran" mania sweeping Twitter, please read this: http://su.pr/7lfI3d

And yes… it would be that easy to use tools. Just click and point. This is a report, not my own thoughts on the subject. And now, at 01:00AM 6/15/2009, there is a name to the phenomenon:

davepaye: Take down Iran’s UN website: http://tinyurl.com/n75ml4 (expand) Support Freedom! #DDOS #iranelection <– Called the Green Revolution (a la the Velvet Revolution of Prague, see Wikipedia article here)

 

 

 

Cyberwar Weapon Sharing

 

And the attacks are getting more detailed with websites and even TOOL PACKAGES being distributed:

02:18 xxxxx How to DDOS (in a good way) Iran’s state-run media website. Please RT. http://twurl.nl/xxxxx #iranelection

And

02:19 Cyberwar DDoS package being distributed to take down Iranian gov sites. http://tinyurl.com/xxxxGet flood and ping flood. <– the tool was aptly named, StopAhmadiOnline.zip

Hacking Iran

And, of course, facebook is harnessed to the effort and used to disseminate information about the status and about the DDoS attacks:

Facebook anti-Iran Govt Site

 

 

 

 

 

 

 

 

 

 

 

 

Open Proxy Sharing

Facebook is even used to disseminate info, both inside Iran and out, on how to bypass government filters, for example using open proxies:

Facebook bypass filters

 

 

Strategy Planning Sessions:

 

 

Here is an example on how a multiuser Google Docs Document is used to coordinate attacks:

 

Strategy Session, on Google

 

 

And, with indication of priorities and status, an easy "just click here" SaaS-like tool on Delicio.us:

 

Delicious ly Easy Clicking

 

 

Scouting Reports:

 

Ahmadinijad (who can spell that right, anyways?) site hacked report, on Twitter:

17:23 06/15/09 www.ahmadinejad.ir – hacked – hacked – hacked – afareen – javeed bad mellat Iran. #Iranelection

and

17:31 confirmed – khamenaie website hacked – the dictator of iran. #Iranelection

 

 

 

 

Award Ceremonies, Mid-Combat:

 

 

17:43 we honour and thank the people of Iran and especially the hackers. Baseej have guns we have brains. #Iranelection

 

Twitter affects Iran <-> Iran affects Twitter:

In a modern version of "what came first: chicken or egg?" Twitter today announced that it is changing a long-scheduled downtime for maintenance to a different day and time due to the situation in Iran. The exact language is:

…In coordination with Twitter, our network host had planned this upgrade for tonight. However, our network partners at NTT America recognize the role Twitter is currently playing as an important communication tool in Iran. Tonight’s planned maintenance has been rescheduled to tomorrow between 2-3p PST (1:30a in Iran).

Later, on June 16, 2009, CNN reported the following:

CNN: Senior officials say the (US) State Department is working with Twitter and other social networking sites to ensure Iranians are able to continue to communicate to each other and the outside world. By necessity, the US is staying hands off of the election drama playing out in Iran, and officials say they are not providing messages to Iranians or “quarterbacking” the disputed election process. But they do want to make sure the technology is able to play its sorely-needed role in the crisis, which is why the State Department is advising social networking sites to make sure their networks stay up and running for Iranians to use them and helping them stay ahead of anyone who would try to shut them down.

 

 

Twitter Takes Action:

 

Around 23:59 GMT on 6/15/09, the hash tag #DDOSIRAN has completely disappeared from Twitter Search. We assume that Twitter (had to) took steps to remove it and related posts due to these rather egregious nature. To spell it out… to knowingly allow tools that perpetrate a crime to be shared through one’s service might get one in some legal trouble. Again… this is just my guess…

 

 

Attacking "Supply Routes":

06/15/09 21:02 GMT Reports are arriving, again via Twitter, that anyone with camera or laptop is attacked in street. Apparently the govt of Iran has started to figure out that without these "weapons" and supplies, the "soldiers" can not communicate. Here is one example of the importance of these tools:

02:08 06/16/09 everybody try to film as much as poss today on mobiles – v\imptnt – these are eyes of world #Iranelection

 

Creation of a Fifth Column – Hiding From the Hunters:

 

Help cover the bloggers: change your twitter settings so that your location is TEHRAN and your time zone is GMT +3.30. Security forces are hunting for bloggers using location and timezone searches. If we all become ‘Iranians’ it becomes much harder to find them.

 

 

 

 

 

And Counter-Counter-Intelligence:

 

The site Tweetspam.org has come out with warnings, refreshed continuously, against certain accounts believed to be spam and/or Iran government agents masquerading in Tweeter to spread disinformation

 

Tweeter Spam - Hidden "Agents" Warning

Signs of Compartmentalization:

Don’t blow their cover! If you discover a genuine source, please don’t publicise their name or location on a website. These bloggers are in REAL danger. Spread the word discretely through your own networks but don’t signpost them to the security forces. People are dying there, for real, please keep that in mind…

 

Iran Strikes Back:

Reports are rushing in that Iran is making a coordinated effort to shut down all unofficial computer access in the country! Examples:

23:59 AM GMT 06/16/09 several arrests today after tracking thru twiter proxys – #Iranelection

and another

any proxy addss shown on twitter is possible trap – freedom twitters in Iran DO NOT follow – YOUR LOCATION IS VISIBLE – #Iranelection

And even worse:

…they are literally going door to door and taking computers in iran

 

In response to questions: I am actively removing the name of Twitter users IN Iran from these quotes. For obvious reasons. More Sophisticated (advanced training, if you would) is coming up in video: How to circumvent an Internet proxy – a training video: http://bit.ly/ieJcZ

. . Pirates Ahoy! . At 02:00 AM GMT 06/17/09, I noticed that The Pirate Bay has thrown its lot with the Iranian people. As you can see below, they have both dyed their site Green, put a slogan on their usual log, and made available a "secret" site to help the cause. The Pirate Bay Joins the Revolution   * If you click on the (pirate) ship, you will find yourself at http://iran.whyweprotest.net/: Anonymous Iran Whyweprotest is a site with a veritable treasure trove of information on the ongoing struggle. It includes tools, strategies, locations and translations, in addition to many other pieces of information relevant to the conflict.

    "Intelligence": Via Tweeter and websites, we have now received this information "Real" Iran Count - a scanned image showing a letter. We have no idea as to its validity nor content (my Persian is rusty :p ), It is claimed to be "The Real Vote Count", allegedly showing that Mir-Hossein Mousavi won the elections, and that Ahmadinijad achieved THIRD place: Regardless of its validity, this shows us the power of scanning, faxing and email in addition to the power of Social networks.   . The force of the written (electronic) word: .We found out that our own Tweet regarding the rescheduling of Downtime for Tweeter was re-tweeted at least 3100 times! That serves to remind us just how pervasive a Tweeter message can be.

Attempts at (electronic) Crowd Control:

Thanks to the UK’s Guardian, we have the flowing information:

10.05am 06/17/09: The Revolutionary Guard, an elite military force answering to Supreme Leader, warned bloggers to remove any materials that "create tension" or face legal action, AP reports.

. Propaganda: This is a picture, circulated with the help of Tweeter and several websites, which shows alleged "photoshop-ing" of pro-Ahmadinijab rally. Make your own conclusions: Photoshopped Rally?

Some Raw Data: To celebrate this, the tenth blog on the Iranian Cyberwar, we thought we would show you some raw data. First, here is a weekly snap shot of Twitter traffic regarding Iran:

 

 

 

(With a special thanks to flaptor (@flaptor) for his great support!) If you take a close look, you’ll see that at 04:30 chart time on Saturday, June 13, which is 15:00 in Iran, a spike started in Twitter. At that time, the topic Iran was at a respectable showing of 0.1% of all Tweets on Twitter, but that was nothing compared to what was about to come. The first Statistical Peak appeared on Sunday, at 9:00 AM Iran time, capturing an incredible 1.2% of all Tweets on Twitter. In a moment we will discuss just how many Tweets that figure represents. By Tuesday, at 10 AM Iran time, that number hit 1.9% of all Tweets.  A very large number of Tweets. According to several websites, the TOTAL activity of Twitter at that time was almost 12,000,000 tweets per hour. That’s 12 million, people. Leading to the conclusion that close to 228,000 tweets were made about Iran at that time, or 158 per minute, 2.6 PER SECOND just about Iran. *numbers have been corrects since time of first post

Today we will discuss the prevalence and importance of level of participation by the public regarding the Iran situation. First, a statement made by YouTube: "We are receiving the equivalent of TWENTY HOURS of video [about Iran] every MINUTE". Even assuming that a lot of this is duplicate, even if exactly duplicate, this is a staggering figure.   If we retrograde this a week (and assume a constant rate), we will get: 7 days X 24 hours per day X 60 minutes per hour X 20 hours of media per minute  =———————————— 201,600 hours of video, so far.   That is equivalent to 23 years of video, so far, on the Iranian situation.   Just a tad longer than the time passed since the Islamic Revolution that brought the current regime to power there.  Holy Cow (no pun intended). Another way to look at the data is to see the density of the sending points, as made possible by a YouTube/Google Map Mashup to follow.