A cyber-attack linked to Iran this week is the latest in a string of cyber-events that some say represents a new step in a shadowy and long-running war between the Iranian government and those who criticize it on the Internet.
Comodo Group, a seller of digital certificates, said that an unnamed partner was compromised on the evening of March 15. The attack was worrying because the kind of digital Secure Sockets Layer (SSL) certificates that Comodo sells are an important part of the infrastructure used to secure the Internet. These certificates are encrypted files that tell the browser it's securely connecting with the real Gmail.com, for example, and not an imposter site. They help prevent phishing attacks, but in a country like Iran, they can be critical to dissidents, helping to keep private communications safe from prying eyes.
The attack was well-planned and carefully executed, but according to Comodo, it was quickly detected. Massimo Penco, a vice president of Comodo based in Italy, said he received an alert around 7 p.m. on March 15 that something unusual was going on.
"Someone issued a certificate for Google, but we didn't have a request from Google," he said. Within 15 minutes of this happening, he was on the phone asking colleagues in New Jersey to lock the system down, he said. The certificate for Google was revoked within an hour or so, along with eight others that had been issued in the meantime.
Comodo doesn't know who was behind the attack. In the hacking world, it's standard practice to hop from computer to computer as a way of hiding one's tracks. And a secretive country such as Iran is unlikely to share information with Western investigators.
Still, Iran has the means, motive and opportunity to pull off an attack like this in order to spy on supposedly secured communications between Iranians and the servers used by companies such as Google, Skype and Microsoft, all of whose certificates were spoofed in the attack, said Melih Abdulhayoglu, Comodo's founder and CEO. "All things point to the Iranian government and their newly founded cyberwarfare department," he said.
The Iranian government has been interested in monitoring and controlling its citizens' Internet use for close to a decade now, said Mehdi Yahyanejad, founder of the popular Iranian discussion site Balatarin.
With that attack, the hackers used social engineering techniques to trick Yahyanejad's Internet service provider into giving them unauthorized access to his hosting account. And like the Comodo incident, it was meticulously planned and well-executed. Since 2009, Balatarin has been hit with numerous distributed denial-of-service (DDoS) attacks. The most recent, in January of this year, was unprecedented in power.
E-mail and Web-based malware, along with distributed denial-of-service attacks, are regularly used parts of Iran's toolkit, Yahyanejad said. The DDoS attacks flood websites with useless requests, knocking them offline. They appear during protests or times of unrest, often as a way of muffling protest on the Internet. "They want to make sure that during those days the videos don't get out quickly enough, [in order] to reduce the media impact of those demonstrations," he said.
In the past few years, a group calling itself the Iranian Cyber Army has surfaced and defaced websites belonging to Twitter, Chinese search engine Baidu, and just last month, the Voice of America. Nobody knows who the Iranian Cyber Army really is, but Yahyanejad believes that they could be state-sponsored too.
With Iran's Green Revolution protests now just a memory, government opposition now lives on the Internet, not on the streets of Tehran. These latest attacks on Comodo's digital certificates are a next step, made necessary as companies such as Google have pushed more and more users to secure, HTTPS websites, which are much harder for the government to monitor. "It's an indication that they're taking cybersecurity seriously as a theater of conflict," said Cameran Ashraf, an Iranian-American digital activist.
Alex Stamos, a U.S. computer security consultant who is a founding partner at ISec Partners, agrees that the stakes are rising, in Iran and elsewhere. "The major American cloud computing providers and Web service providers -- the Googles and the Facebooks and the Microsofts -- are in a very quiet war with totalitarian governments to keep access to their services available and to keep those people safe," Stamos said.
Posts
