Two new reports claim to reveal an “ongoing” and “large-scale” hacking operation sponsored by the Iranian regime primarily targeting minorities and opposition groups.

The first report, published by researchers at US-Israeli cybersecurity firm Check Point, details the myriad ways in which, for “at least six years”, regime-sponsored hackers have attempted to “steal as much information as [they] can” through a range of sophisticated techniques, such as malware and phishing scams. 

The second report, by cybersecurity-focused rights organisation Miaan Group, concludes that a Mashhad-based firm was behind a spate of malware attacks in the past few years, including the February 2018 attack on the administrator of a Sufi website which inspired the research. 

Both reports conclude the attacks were very probably state-sponsored.

Miaan’s report says the pattern of targeting political dissidents, journalists, human rights defenders, lawyers, student activists, and others from Iran’s ethnic and religious minority communities, “along with other suspicious aspects of the hacking efforts, point to a state-sponsored program”.

Meanwhile Lotem Finkelstein, head of threat intelligence at Check Point, told the New York Times the “infrastructure” used in the hacks led Check Point to conclude the attacks were “administered by Iranian entities against regime dissidents”.

He added that it was “highly possible” the hackers were freelancers employed by Iranian intelligence, as in previous hacks.

The New York Times article noted that the ability of Iranian hackers to outsmart highly sophisticated and encrypted messaging systems – including tech giants WhatsApp, Instagram and Telegram – was “a capability Iran was not previously known to possess”.

The result, Check Point’s report concludes, is that the hackers were able to “spy on their victims’ personal computers and mobile devices” by gaining access to their messaging apps, as well as devices’ cameras and microphones to take voice recordings and screenshots.

Check Point also cited examples of hackers removing blogs containing critical information, including a 2018 Al-Arabiya blog about Iranian cyber attacks and a 2012 blog by HRANA focused on human rights violations.

Miaan’s report notes that the majority of hacking targets were abroad – including in the US, Canada, Czech Republic, Germany, New Zealand, Abkhazia, Turkey, Russia, China, Thailand, Brazil, Finland, Azerbaijan and Denmark.

Miaan researcher Amir Rashidi told Article18 that “in years of following Iranian hackers, this was the first time I saw a group of hackers focused so heavily on ethnic and religious groups”. 

He added that the hackers had targeted both individuals and groups.

The researchers at Check Point said the “handpicked targets” they observed, such as supporters of opposition groups, “reflects some of the internal struggles in Iran and the motives behind this attack”, as the “conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime.

“According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices.

“Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”

Both reports note that the hackers specifically attempted to trick users into handing over their two-step authorisation codes – previously considered a highly secure protection method.

The researchers at Check Point also warned that in the case of one malicious application, it was “obvious” that it was still being developed, “with various assets and functions which were either leftovers of previous operations, or not yet utilised”.