Cyber-Hacking Forum Linked to Iranian Revolutionary Guards Struggles After Closure, Report Says


By Natasha Phillips


Feb 22 – Thousands of members belonging to a high-profile cyber-hacking forum linked to the Iranian Revolutionary Guards Corps (IRGC) are struggling to regroup online after the forum was shut down, according to a new report by the cyber security company Recorded Future

The report, which was published in January, analyzed posts from over 20,000 Ashiyane Forum members between 2014 and 2018, before the site was closed down in August. Reasons for the site’s closure have not been confirmed. However the report outlines claims from sources that the forum may have been targeted by hackers, or pulled after it was revealed that Ashiyane was operating gambling sites. Gambling is forbidden inside the Islamic Republic, with punishments for operating gambling sites ranging from life imprisonment to the death penalty.

A1-Ashiyane-User-Migration-Graph.-Soucre_-Recorded-Future-Report-January-2019
Ashiyane User Migration Graph. Soucre_ Recorded Future Report January 2019

Iran has reportedly stepped up its use of cyberwarfare in the last few years, with officials now said to be viewing the activity as an important mechanism to further the government’s political objectives. Research by international law firm Linklaters published in January suggests that Iran has become increasingly active in cyber attacks after the U.S. pulled out of the nuclear deal. Spending on cybersecurity may have increased as much as 12-fold since President Hassan Rouhani took office in 2013, according to a report published by Small Media. As of this year, Iran’s state-sponsored hacking is considered to be a greater threat to the West than Russia or China, experts claim. 

Recent attacks attributed to Iranian hackers which targeted U.S. businesses and government agencies led to an emergency order issued by Homeland Security during the government shutdown in January, though it is not known whether the hacks were successful. A former U.S. intelligence agent, Monica Elfriede Witt, was charged with espionage in February after giving Iran government-backed hackers access to details of classified counterintelligence operations, sources’ real names and the identities of U.S. intelligence officers.  

Recorded Future found that of the 18,060 active users before Ashiyane Forum shut down, only 4 percent of posters had screen names with identical matches on other Persian, Arabic, Russian, or English forums. The report concluded that members split into two groups once the site closed: roughly 7 percent with identical screen names migrated to a platform called VBIran.ir and 3.5 percent with exact name matches moving over to website Persian Tools Forum. VBIran and Persian Tools Forum are considerably smaller than Ashiyane, though there are similarities which the report mentions: posts are written mostly in Persian and provide relatively large forums where members can discuss offensive hacking tactics. There is no indication in the report as to where the remaining 89.5 percent of Ashiyane forum members may have gone.   

The Recorded Future report explains that Ashiyane was founded by Behrooz Kamalian, who the report notes is often called the “father of Iranian hacking.” Initially launched in 2002 as a project to help educate youth in Iran about cyber security, the forum became known for its involvement with the Iranian government. The site was run by the Ashiyane Digital Security Team, and was initially defined as a ‘gray hat,’ a term used to describe hackers engaging in activities which occasionally violate the law and ethical standards but without malicious intent. Despite its initial gray hat classification, the company cultivated a reputation for itself defacing websites in Thailand, India, Israel and the U.S., including Mossad and NASA. Kamalian confirmed in 2013 that the Ashiyane Digital Security Team worked with Iranian officials co-operating with Iran’s military and that the company has “always operated in the framework of the goals of the state.”

A2-Iranian-Cyber-Army-Defaces-A-Website
Iranian Cyber Army Defaces A Website

A body of research has emerged with possible clues to the Iranian government’s cyberwarfare strategies and techniques. One such report published in March 2018 by FireEye notes that state-sanctioned hackers in Iran favor spear phishing campaigns which involve sending emails to targeted individuals in order to elicit confidential information. The production of bespoke coding rather than off-the-shelf software allows state-sanctioned hackers to adapt to changes in the online landscape and update malicious software quickly. 

The use by hackers of Persian language and bespoke malware has also helped to pinpoint Iran’s involvement in cyber attacks around the world. FireEye’s report names Iranian threat group TEMP.Zagros, which is also known as MuddyWater, as the entity responsible for attacks carried out between January and March of last year on Middle Eastern nations which oppose Iranian government interests. A 2015 report by Small Media found that while Russian and Chinese hackers were mostly motivated by competitive advantage or financial gain, Iranian hackers were trained to infiltrate servers in order to destroy them. 

The Iranian government has incorporated its cyber activities into its military framework through its Basij Cyber Council which was established in 2010 and which now includes a “cyber Hezbollah,” or cyber army which Gholamhossein Gheybparvar, the Commander of the Basij force told Iranian media outlet Fars would encourage Iran’s youth to be more active in cyberwarfare in order to counter state opposition. A tweet shared on February 19 by Jeff Stone, an associate editor at Cyber Scoop News, places Iran’s hacking groups fourth for the speed at which they move once they gain entry into a breached network.

According to a report published by Washington-based think tank Carnegie Endowment for International Peace in 2018, the Iranian government’s cyber army is now considered to be a world-class player within the global cyber hacking community and notes that it targets poorly defended economic and infrastructure resources online as part of its cyberwarfare strategy.

A3-Website-Hacked-by-Ashiyane-Digital-Security-Team
Website Hacked by Ashiyane Digital Security Team

Several threat groups have been linked to Iran or identified as IRGC-sanctioned organizations since 2010, including Zone-H (also know as the Persian Hack Team), Charming Kitten, Cobalt Gypsy, Iran Hackers Sabotage, Cyber Fighters of Izz ad-Din al-Qassam, Rocket Kitten and “Tarh Andishan,” which means “the thinkers” in Persian.

While Iran’s cyber warfare represents a government attempt at showing that sanctions are not affecting its ability to threaten its opponents, a grass-roots hacking movement called Tapandegan in Iran has emerged to counter the government’s efforts. Tapandegan, which means heartbeat in Persian, uses cyber hacking as a way to pressure the government into meeting its demands. Those demands include forcing the Iranian government to improve the country’s economy and to listen to the needs of the Iranian people. 

Tapandegan targets government mainframes within state-controlled buildings like airports, hijacking notice terminals and TV screens in order to air anti-government videos and tweets showing social unrest inside the country. The group also gains access to Iran officials’ emails and leaks sensitive information which typically shows government corruption or collusion. Prior to Tapandegan’s arrival, international hacking group Anonymous assisted anti-government hackers in 2011 through Operation Iran, which aimed to take down several government websites using distributed-denial-of-service attacks (DDOS).