Iran hackers 'bypassing Whatsapp encryption' to target
dissent: reports

The reports point to major technological strides for Iran's cyberespionage capabilities.
3 min read
18 September, 2020
Government-backed hackers reportedly downloaded data stored on Whatsapp, according to one report [Getty]
Government-backed hackers in Iran have been running a large spying operation with tools capable of bypassing encrypted messaging systems, according to two digital security reports published by The New York Times on Friday.

Hackers targeted foreign dissidents and minorities, although they are also capable of targeting citizens within the country, according to reports by cybersecurity firm Check Point Software Technologies and digital security rights group the Miaan Group.

The programmers successfully infiltrated their targets' mobile phones and computers, circumventing encryption used in Telegram and Whatsapp, and according to the report by Miaan Group.

The hackers also designed malware disguised as Android applications, according to the reports.

A Telegram spokesman said the company was not aware of the operation. Whatsapp have offered no comment.

The reports point to major technological strides for Iran's cyberespionage capabilities and come amid reports from the US that Iran is using cybersabotage in an attempt to influence American elections.

According to the report by Check Point, the operation was set up in 2014.

Miaan traced the first operation to February 2018 from a malicious email sent to a Sufi religious groups in Iran, after its adherent had clashed violently with security forces.

Malware used in that attack and subsequent attacks were traced to Andromedaa, a private technology firm based in the city of Mashhad.

Miaan's researchers found that the company had repeatedly targeted activists and minority groups, and had phishing and malware tools that could target the public.

Hackers' goals were two-fold, according to the Miaan report: "to steal information about Iranian opposition groups abroad and to spy on Iranians who would use mobile application to plan protests."

According to Check Point, hackers typically lured their target by sending what appeared to be tempting documents and applications to open.

Documents contained a malware code that would activate spyware commands from an external server when the recipients opened them on their devices, allowing attackers to gain access to all files, log clipboard data, take screenshots and steal information.

According to Miaan, one application allowed hackers to download data stored on Whatsapp.

Read also: Iran says US vote hack allegation 'absurd'

Attackers also found a weakness in the installation protocols of encrypted application such as Telegram, enabling them to steal the application's installation files.

The attackers would use these to create Telegram logins to activate the app in the victims' name on other devices, allowing them to secretly monitor all messaging activity of those targeted.

One Miaan researcher said the success of the operation was down to what he said was their skills in deception, which drew victims into a trap.

One malware targeting dissidents in Sweden was designed as a Persian-language instructions tool for Iranians seeking Swedish driver's licenses.

Lotus Finkelstein, head of threat intelligence at Check Point, said it was highly possible that the hackers were freelancers employed by Iranian intelligence.

Follow us on FacebookTwitter and Instagram to stay connected