When protests erupted in Iran over the death in custody of a woman arrested for violating gender ethics laws, hacker groups began offering help — and sometimes hoping to cash in on it. However, researchers warn that the deals may not be as benevolent as they appear.
Cybersecurity firm Check Point said it observed talks about the Iranian protests among the groups shortly after Mahsa Amini’s death on September 16, as demonstrations erupted.
For the past week, the Iranian government has restricted mobile internet access from late afternoon around 4 p.m. to midnight local time, according to Doug Madory, director of internet analytics at Kentik. Although landline internet services remain online, popular services like Instagram and WhatsApp are blocked, he said.
“What we are seeing are groups from the Telegram, dark web and also ‘regular’ web that are helping the protesters to bypass the restrictions and censorship currently in place by the Iranian regime to deal with the protests,” he said Security service emailed by Check Point researcher Liad Mizrachi.
The hacking groups gather in chat rooms with thousands of members, and recently some have shared information about virtual private networks (VPNs) or proxy services for use by people in Iran.
Others in the groups appear to be trying to leak or sell data they claim is linked to the Iranian regime — including alleged information on government officials and maps of sensitive areas, Check Point said.
Among the groups are cybercriminal operations including the Arvin Club and the Atlas Intelligence Group, the company said. Arvin Club is a ransomware company with a popular Telegram channel that frequently shares information about data leaks. Users often post in Persian, and the group has previously denied rumors of collaborating with the Iranian regime, according to dark web monitoring service DarkOwl.
Members of the Arvin Club channel shared information about alleged data leaks about Iran, as well as VPN links and censorship bypass information via private browsing tool Tor, according to screenshots shared by Check Point and The Record’s review of the chat became.
The broadcaster also changed its image to a black silhouette of Iran with the words “sensitive content” and a crossed-out eye icon.
Cyber mercenary operation Atlas Intelligence Group (AIG) shared information about proxies and a note encouraging protesters to evade censorship, according to Check Point’s research. It has also put up alleged Iranian data for sale. AIG uses an outsourcing approach to its hacking efforts, serving almost as a fixer service between customers and hackers.
The veracity of documents leaked or sold by such groups is unclear. Finally, the safety of some of the help they claim to offer.
According to Madory, VPNs and proxy services are theoretically a way to circumvent censorship on Iran’s still-functioning fixed-line internet.
However, trustworthy links to these services provided by cyber criminal organizations might not be the best way to access them.
“The VPN may not be secure, but considering it could work to bypass censorship restrictions; Many still think it’s worth trying,” Mizrachi said. “The risk is that the service might snoop on traffic (essentially make a copy of it) and leak sensitive information. There is also a small chance that the [Islamic Revolutionary Guard Corps] themselves trying to offer a ‘free VPN’ to trick people into using it so they can then identify them,” he added.