A prominent cyber security group has investigated operations against government websites in Iran and concluded that due to the structure of Iran’s Internet and its separation from the global Internet, operations against government websites, including those belonging to state Radio and Television on January 27, 2022, the Ministry of Foreign Affairs on May 7, 2023, and the office of the president on May 29, 2023 were conducted by infiltration and could not have been the result of penetration from outside Iran.
In recent years, the Treadstone71 cyber security group has published several reports on the Iranian government and its cyber-attacks and has evolved as an authority in this field.
The Treadstone71 report underscores that major attacks on the Iranian government sites were most likely carried out by penetrations from inside Iran, in particular by insiders who had access to these systems.
AdvertisementScores of the Iranian government’s most important websites, as well as online systems of the Tehran Municipality and national radio and television networks, have been subjected to massive attacks since January 2022.
The group “Gyamsarnegouni (“Uprising till Overthrow”) has taken responsibility for the main attacks and has disclosed extensive internal government documents of the Iranian government on its Telegram account. The group has defaced the home pages of a number of websites, posting crossed-out images of Supreme Leader Ali Khamenei, and placing the pictures of Iranian opposition leaders.
In 2022, Albania’s government internet structures and services were targeted by a massive cyberattack, which caused many problems. Extensive investigation by Microsoft and others pointed the finger at Tehran.
According to Treadstone71’s assessment, “Iran has a longstanding history of engaging in cybersecurity attacks, and according to some statistics, ranks fifth among nations known for targeting their adversaries through cyber warfare.”
“As a safety precaution,” Treadstone71 notes in its report, “Iran decided to shift its government websites from European hosting servers to domestic hosting companies, as part of its ‘National Internet’,” and as a result, “All government and state-controlled websites were relocated from European and American hosting servers to domestic hosts,” and “access to select government and state-controlled websites was restricted to the ‘National Internet’, making them inaccessible via the global internet.”
Treadstone71 report underscored, “we also witnessed a different kind of attack, separate from those infiltrating governmental websites on vulnerable Iranian hosting services; those made by Gyamsarnegouni (“Uprising till Overthrow”). Attacks carried out by this group were among the deepest infiltrations against the Iranian government’s networks.”
The report notes:
These attacks stood out due to three key characteristics:
1. The extent of infiltration into the most secure government networks, comparable only to the Stuxnet attack (which used a flash drive).
2. The volume of exfiltrated documents.
3. The widespread access to servers and computers.
The Treadstone71 report underscores that state radio and television networks, particularly in undemocratic countries like Iran, “are among the most isolated and most protected networks.” It further says: “Iran’s internal broadcasting network is not connected to the Internet and is severely air gapped; meaning it is physically isolated from the internet and can only be accessed from within…The only way for an outsider to gain access to the network would be through physical infiltration”
In January 2022, the Iranian news media pointed out that government institutions believe this attack was carried out by individuals who had inside information about Iranian state radio and TV systems.
The attack on the websites of Tehran Municipality on June 2, 2022 included breaking into 5,000 cameras employed for traffic control and face recognition. According to Treadstone71, the hackers “would have known that the cameras were not connected to the Internet and that they would need to gain physical access to the cameras to hack them.”
But Treadstone71’s most startling findings are related to the two high-profile and attention-grabbing attacks by Gyamsarnegouni in May 2023.
During the attack on the website of the Iranian Ministry of Foreign Affairs, hackers gained access to 50 terabytes of data from the Ministry ‘s archives. Treadstone71’s assessment is that this required “penetration into the inner-most layers of this governmental body. The nature of the leaked documents indicates that such documents would be inaccessible from the internet, further supporting suspicions of insider involvement.”
Treadstone71’s expert assessment concluded that “the transfer of 50 TB data would not be possible remotely – and on a filtered network such as that of Iran,” and added that the sheer size of the hack is also revealing about how it was carried out.
“The normal Internet download speed of Iranian is 11.8 megabits per second. To download 50 terabytes of data from the Foreign Affairs Ministry of Iran at this speed would take over 392 days or over a year of uninterrupted download time, and Iran’s Internet frequently drops, is throttled by the government, and experiences regular government-induced blackouts,” the report stated.
“Based on these numbers, such an attack highly likely occurred from direct access to the data.”
In relation to the attack on the website of the presidential office, the hackers breached the most secure communication systems of the government and obtained tens of thousands of documents that were no more than a few months old.
According to an Iranian expert, this site “used a dedicated IP address that was impenetrable.”
“The fact that the hackers gained access to tens of thousands of documents not more than a few months old also suggests that insiders conducted the attack. These documents would have been stored on computers with limited access to the Internet, and it would have been difficult for an outsider to access them,” Treadstone71 stated.
The report concluded by saying: “The Iranian government initially attributed blame to foreign adversaries. However, cybersecurity experts and mounting evidence suggests insider involvement.”
