Suspected Iranian hackers exploit VPN, Telegram to monitor dissidents

The research shows the limits of the cyber industry’s knowledge of Tehran-linked hacking against those who often bear the brunt of it.
Telegram app, WhatsApp
(Getty Images)

For the last six years, hackers have stalked Iranian dissidents with spying tools that mimic the software those dissidents use to protect their communications, security firm Kaspersky said Wednesday.

Researchers from Kaspersky and other firms only recently pieced together the activity, showing the limits of the cyber industry’s knowledge of Tehran-linked hacking against those who often bear the brunt of it: Iranian citizens.

While Kaspersky researchers did not attribute the hacking to the Iranian government, FireEye, another security firm, said it suspected the hackers were affiliated with Tehran. The findings are consistent with a surveillance dragnet that Iranian authorities have used to jail and beat protesters who challenge the regime. Iranian security services killed 304 people in a 2019 crackdown, according to Amnesty International.

The hackers, Kaspersky said, have sent their targets malware-laced images and videos claiming to be from prisoners in Iran. When opened, the malicious documents hijack users’ Google Chrome browsers and Telegram, an encrypted app popular among Iranian activists, to try to steal data. The attackers’ also planted malicious code in Psiphon, a virtual private networking software that Iranians use to evade censorship, according to the research.


The researchers said they didn’t know how many people had been breached in the hacking campaign.

The malicious code analyzed by Kaspersky “can take screenshots and has a keylogging capability,” Kaspersky researchers Aseel Kayal, Mark Lechtik and Paul Rascagneres said in an email. “With these two features, it can monitor the victim’s correspondences and conversations such as instant messaging or emails.”

Tehran has a long history of allegedly using its cyber capabilities on its own citizens.

“In addition to the activity documented in this blog, Mandiant has seen Iran-nexus groups deploy mobile malware and spear phish dissidents to try to gain access to email and social media accounts,” said Ben Read, an analyst at FireEye, when questioned on the latest findings.

The U.S. Treasury Department in September announced sanctions against dozens of Iranians, including alleged members of a hacking group known as APT39, for allegedly targeting Iranian dissidents and journalists. Those hackers are accused of operating on behalf of Iran’s Ministry of Intelligence. Then, in February, security researchers from Check Point exposed more Iranian government-linked attempts to break into the devices of dissidents abroad.


“Regime preservation is the primary concern for many of the Iranian security services that sponsor cyber espionage,” said Read, director of analysis at Mandiant Threat Intelligence. “Iran has always used their cyber capabilities to gather information on individuals, inside and outside Iran, that they view as threats to regime stability.”

Iran regularly denies conducting cyberattacks. A spokesperson for the Iranian Mission to the United Nations did not immediately respond to a request for comment on the research.

The Biden administration has pledged to put human rights at the center of its cybersecurity agenda, but it’s unclear how that will manifest in relations with Iran.

“Far too often cybersecurity is used as a pretext to infringe on civil liberties and human rights,” Homeland Security Secretary Alejandro Mayorkas said in March. “At the end of the day, cybersecurity is about people. It is about protecting our way of life and protecting what we hold dear.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts