Tag Archives: Iran

New hacking group detected targeting firms in Russia, China

A padlock is displayed at the Alert Logic booth during the 2016 Black Hat cyber-

By Eric Auchard

FRANKFURT (Reuters) – A previously unknown hacking group variously dubbed “Strider” or “ProjectSauron” has carried out cyber-espionage attacks against select targets in Russia, China, Iran, Sweden, Belgium and Rwanda, security researchers said on Monday.

The group, which has been active since at least 2011 and could have links to a national intelligence agency, uses Remsec, an advanced piece of hidden malware, Symantec researchers said in a blog post (http://symc.ly/2aTHoOm).

Remsec spyware lives within an organization’s network rather than being installed on individual computers, giving attackers complete control over infected machines, researchers said. It enables keystroke logging and the theft of files and other data.

Its code also contains references to Sauron, the all-seeing title character in The Lord of the Rings, Symantec said. Strider is the nickname of the fantasy trilogy’s widely traveled main character Aragorn.

Separately, Moscow-based Kaspersky Lab has labeled the same group using the Remsec spyware as “ProjectSauron”.

The newly discovered group’s targets include four organizations and individuals located in Russia, an airline in China, an organization in Sweden and an embassy in Belgium, Symantec said.

Kasperksy said it had found 30 organizations hit so far in Russia, Iran and Rwanda, and possibly additional victims in Italian-speaking countries. Remsec targets included government agencies, scientific research centers, military entities, telecoms providers and financial institutions, Kasperksy said.

“Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation state-level attacker,” Symantec said, but it did not speculate about which government might be behind the software.

Despite headlines that suggest an endless stream of new types of cyber-spying attacks, Orla Fox, Symantec’s director of security response said the discovery of a new class of spyware like Remsec is a relatively rare event, with the industry uncovering no more than one or two such campaigns per year.

Remsec shares certain unusual coding similarities with another older piece of nation state-grade malware known as Flamer, or Flame, according to Symantec.

Kaspersky agreed that the same group it calls ProjectSauron appears to have adopted the tools and techniques of other better-known spyware, including Flame, but said it does not believe that ProjectSauron and Flame are directly connected.

Flamer malware has been linked to Stuxnet, a military-grade computer virus alleged by security experts to have been used by the United States and Israel to attack Iran’s nuclear program late in the last decade (http://reut.rs/2b2FA8z).

(Editing by Greg Mahlich)

U.N. rights boss says executions in Iran were ‘grave injustice’

United Nations High Commissioner for Human Rights Al Hussein arrives for the 31st session of the Human Rights Council in Geneva

GENEVA (Reuters) – The hanging of up to 20 people in Iran this week followed serious doubts about the fairness of their trials and respect for due process, leading to a “grave injustice” being committed, the United Nations’ top human rights official said on Friday.

Iran executed up to 20 Kurdish Islamists on Tuesday who were suspected of attacks on security forces, drawing condemnation from rights groups which said the convictions may have been based on forced confessions.

They were convicted of killing two Sunni Muslim clerics, several police and wildlife guards, abducting a number of people and carrying out armed robbery and bombings in western Iran, state news agency IRNA said.

U.N. High Commissioner for Human Rights Zeid Ra’ad Al Hussein said the men had been executed for “purported terrorism-related offences” and that reports suggested most if not all were from a minority group – Sunnis from the Kurdish community.

“The application of overly broad and vague criminal charges, coupled with a disdain for the rights of the accused to due process and a fair trial have in these cases led to a grave injustice,” Zeid said in a statement.

Shahram Ahmadi, one of those hanged, was alleged to have been beaten and coerced into signing a blank piece of paper on which his false confession was recorded, Zeid said.

Iran is one of the world’s top executioners, international rights groups say. Human Rights Watch said this week that Iran had executed at least 230 people this year.

Hassan Afshar, a 19-year-old who was 17 when he was arrested and convicted of rape, was executed last month, Zeid said.

“The execution of juvenile offenders is particularly abhorrent and I urge Iran to respect the strict prohibition under international human rights law against this practice,” he said.

(Reporting by Stephanie Nebehay; Editing by Richard Balmforth)

Kerry defends $400 million payment to Iran, says U.S. does not pay ransoms

U.S. Secretary of State John Kerry attends the Central Asia Ministerial at the Department of State in Washington

BUENOS AIRES (Reuters) – U.S. Secretary of State John Kerry on Thursday defended the Obama administration’s payment of $400 million in cash to Iran, denying it was a ransom for the release of American prisoners by Tehran.

“The United States does not pay ransoms,” Kerry told a news conference in the Argentine capital Buenos Aires. He said the payment, which was part of a longstanding Iranian claim at the Iran-US Claims Tribunal in The Hague, was negotiated on a separate track from the Iran nuclear deal.

(Reporting by Gram Slatery. Writing by Lesley Wroughton; Editing by Alden Bentley)

Obama administration denies Iran cash payment was ransom for prisoners

U.S. President Barack Obama answers a question as he and Singapore's Prime Minister Lee Hsien Loong hold a joint news conference at the White House in Washington, U.S.

WASHINGTON (Reuters) – The Obama administration said on Wednesday that $400 million in cash paid to Iran soon after the release of five Americans detained by Tehran was not ransom for them as some Republicans have charged.

The five, including Washington Post reporter Jason Rezaian, were released on Jan. 16 in exchange for seven Iranians held in the United States for sanctions violations. The prisoner deal coincided with the lifting of international sanctions against Tehran.

At the time, the United States said it had settled a longstanding Iranian claim at the Iran-U.S. Claims Tribunal in The Hague, releasing $400 million in funds frozen since 1981, plus $1.3 billion in interest that was owed to Iran.

The funds were part of a trust fund Iran used before its 1979 Islamic Revolution to buy U.S. military equipment that was tied up for decades in litigation at the tribunal.

“The link between prisoner release and payment to Iran are completely false,” State Department spokesman John Kirby said on Twitter in response to a Wall Street Journal article that Washington secretly organized the cash airlift.

White House spokesman Josh Earnest heatedly beat back suggestions the money transfer to Iran was ransom, or a secret.

“The United States, under President Obama, has not paid a ransom to secure the release of Americans unjustly detained in Iran and we’re not going to pay a ransom,” he said at a daily White House briefing.

Earnest said the Republicans who have long opposed the Iran nuclear deal are seizing on how the money was paid to Iran as a way to undermine the deal. “They’re struggling to justify their opposition to our engagement with Iran,” he said.

“I understand the interest in details for a more colorful story but I don’t understand what this does to the broader outlines of an agreement that has been in place for six months now.”

While there have long been questions about the timing of the payment to Tehran, one Iranian concern was that the Obama administration would face too much domestic political criticism if it delayed acting on the tribunal’s decision.

Due to the international sanctions against Iran, the payment, made in euros, Swiss francs and other currencies, had to be made in cash.

Republican presidential nominee Donald Trump blamed his opponent, former Secretary of State Hillary Clinton, for launching the talks with Iran.

“Our incompetent Secretary of State, Hillary Clinton, was the one who started talks to give 400 million dollars, in cash, to Iran. Scandal!” Trump said in a Twitter post.

Republican National Committee spokesman Reince Priebus also weighed in. “The Obama-Clinton foreign policy not only means cutting a dangerous nuclear deal with the world’s number one state sponsor of terrorism, it also means paying them a secret ransom with cargo planes full of cash,” he said in a statement.

House Speaker Paul Ryan was more measured, saying that: “If true, this report confirms our longstanding suspicion that the administration paid a ransom in exchange for Americans unjustly detained in Iran.”

(Reporting by Lesley Wroughton Additional reporting by Doina Chiacu and Susan Heavey; Editing by John Walcott and James Dalgleish)

Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers

Guy working with those whose accounts were hacked

By Joseph Menn and Yeganeh Torbati

SAN FRANCISCO/WASHINGTON (Reuters) – Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s <FB.O> WhatsApp, say they have similar capabilities.

Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.

Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.

Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages.

“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.

Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.

A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows – though it does not require – customers to create passwords, which can be reset with so-called “recovery” emails.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

Iranian officials were not available to comment. Iran has in the past denied government links to hacking.

ROCKET KITTEN

The Telegram hackers, the researchers said, belonged to a group known as Rocket Kitten, which used Persian-language references in their code and carried out “a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus.”

Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said Rocket Kitten’s attacks were similar to ones attributed to Iran’s powerful Revolutionary Guards.

The researchers said the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

The researchers said they also found evidence that the hackers took advantage of a programing interface built into Telegram to identify at least 15 million Iranian phone numbers with Telegram accounts registered to them, as well as the associated user IDs. That information could provide a map of the Iranian user base that could be useful for future attacks and investigations, they said.

“A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.

Ra said Telegram has blocked similar “mapping” attempts in the past and was trying to improve its detection and blocking strategies.

Cyber experts say Iranian hackers have become increasingly sophisticated, able to adapt to evolving social media habits. Rocket Kitten’s targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, U.S.-Israeli security firm Check Point said last November.

POPULAR IN THE MIDDLE EAST

Telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, Russia’s version of Facebook, before fleeing the country under pressure from the government.

While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content on Telegram “channels” and urged followers to vote ahead of Iran’s parliamentary elections in February 2016.

Last October, Durov wrote in a post on Twitter that Iranian authorities had demanded the company provide them with “spying and censorship tools.” He said Telegram ignored the request and was blocked for two hours on Oct. 20, 2015.

Ra said the company has not changed its stance on censorship and does not maintain any servers in Iran.

After complaints from Iranian activists, Durov wrote on Twitter in April that people in “troubled countries” should set passwords for added security.

Amir Rashidi, an internet security researcher at the New York-based International Campaign for Human Rights in Iran, has worked with Iranian hacking victims. He said he knew of Telegram users who were spied on even after they had set passwords.

Ra said that in those cases the recovery email had likely been hacked.

Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas on Thursday. Their complete research is set to be published by the Carnegie Endowment for International Peace, a Washington-based think tank, later this year.

(Reporting by Joseph Menn in San Francisco and Yeganeh Torbati in Washington; Additional reporting by Michelle Nichols at the United Nations and Parisa Hafezi in Ankara; Editing by Jonathan Weber and Tiffany Wu)

Iran receives the missile part of S-300 defense system from Russia

Russian military vehicles move along a central street during a rehearsal for a military parade in Moscow

DUBAI (Reuters) – Russia has delivered the missile part of S-300 surface-to-air defense system to Iran, Tasnim news agency reported on Monday, moving to finish the delivery of all divisions of the system to Tehran by the end of this year.

“The first shipment of missiles of S-300 missile system has recently entered Iran that shows Iran’s determination to equip its air defense circle with this system,” Tasnim news agency, which is close to the Revolutionary Guards, reported.

Russia’s agreement to provide Iran with S-300 has sparked concern in Israel, whose government Iran has said it aims to destroy.

Russia says it canceled a contract to deliver S-300s to Iran in 2010 under pressure from the West.

President Vladimir Putin lifted that self-imposed ban in April 2015, after an interim agreement that paved the way for July’s full nuclear deal.

Russia delivered the first parts of S-300, the missile tubes and radar equipment, to Iran in April.

(Reporting by Bozorgmehr Sharafedin; Editing by Angus MacSwan)

Iran says U.N. report on its ballistic missile tests ‘unrealistic’

ballistic missile launched

By Parisa Hafezi

ANKARA (Reuters) – Iran has rejected as “unrealistic” a report by the U.N. leader that criticized its ballistic missile launches as inconsistent with its nuclear deal with world powers, the semi-official Tasnim news agency said on Friday.

Iran’s elite Revolutionary Guards Corps (IRGC) conducted ballistic missile tests in early March and called them a demonstration of its non-nuclear deterrent power.

The United States and its European allies said that by testing nuclear-capable missiles, Tehran had defied a U.N. Security Council resolution and urged U.N. Secretary General Ban Ki-moon to tackle the matter.

Reuters reported on Thursday that a confidential report by Ban had found Iran’s missile tests to be inconsistent “with the constructive spirit” of the 2015 deal under which Iran curbed sensitive nuclear activity and won sanctions relief in return.

“We suggest that Mr. Ban and his colleagues… produce a realistic report…They should not yield to political pressures from some members of the (Security) Council,” Tasnim quoted an unnamed Foreign Ministry official as saying.

Ban’s report stopped short of calling the missile launches a “violation” of Security Council Resolution 2231, which endorsed the nuclear agreement that defused Iranian-Western tensions which had raised fears of a wider Middle East war.

His report said it was up to the Security Council to decide if Iran violated Resolution 2231 which “calls upon” Iran to refrain for up to eight years from activity related to ballistic missiles with cones that could accommodate a nuclear warhead.

Iran has consistently denied its missiles are designed to carry an atomic device. Ban’s report said Iran had stressed that it had not undertaken “any activity related to ballistic missiles designed to be capable of delivering nuclear weapons.”

The Council is due to discuss Ban’s report on July 18.

Tehran has accused the United States of failing to meet its commitments under the nuclear deal, saying Washington should do more to lift its own sanctions affecting banks so businesses feel confident of being able to invest in Iran without penalty.

“I hope the Reuters report is not true … I suggest that Mr Ban give a fair report … in which he also mentions America is not fulfilling its commitments under the deal,” the official said told the Tasnim agency.

The German government, responding to reports by its spy service that Iran has been trying to acquire nuclear technology in Germany, said on Friday certain forces in Iran may be trying to undermine the nuclear deal.

International sanctions on Tehran were lifted in January under the nuclear deal, but current U.S. policy bars foreign banks from clearing dollar-based transactions with Iran through U.S. banks.

(Writing by Parisa Hafezi; Editing by Mark Heinrich)

Iran’s Rouhani accuses West of exploiting Sunni-Shi’ite rift, raps Israel

Iran at Palestinian Rally

By Parisa Hafezi

ANKARA (Reuters) – Iran’s President Hassan Rouhani accused Western powers of trying to exploit differences between the world’s Sunni and Shi’ite Muslims to divert attention from the Israel-Palestinian conflict, state television reported on Friday.

Rouhani’s comments came as tens of thousands of Iranians joined anti-Israel rallies across the country to express support for the Palestinians. They chanted “Death to Israel” and “Death to America” and burned the Israeli flag.

“The global arrogance (the United States and its allies) wants to create discord among Muslims … Unity is the only way to restore stability in the region,” Rouhani said.

“We stand with the dispossessed Palestinian nation.”

Opposition to Israel, which Tehran refuses to recognize, has been a cornerstone of Iranian policy since its 1979 Islamic revolution. Shi’ite Muslim Iran backs Palestinian and Lebanese militant groups who oppose peace with Israel.

“The Zionist regime (Israel) is a regional base for America and the global arrogance … Disunity and discord among Muslim and terrorist groups in the region … have diverted us from the important issue of Palestine,” Rouhani said.

Shi’ite-led Iran has repeatedly called on its Sunni Muslim rival Saudi Arabia to help improve their strained bilateral relations and work for stability in the Middle East.

Arch-rivals for regional hegemony, the two oil producers are on opposite sides in proxy battles in the region, where they back competing factions in Iraq, Syria, Yemen, Lebanon and Bahrain.

Ties have worsened since Riyadh’s execution in January of prominent Shi’ite cleric Nimr al-Nimr prompted attacks on the Saudi embassy in Tehran. Saudi Arabia subsequently cut all ties with Iran.

Riyadh is worried that a landmark nuclear deal reached between Iran, the United States and five other major powers in 2015 will help Tehran gain the upper hand in their regional standoff.

MISSILE DEFENSE SYSTEM

Iran’s elite Revolutionary Guards Corps (IRGC) said in March that “the occupied Palestinian territories are within the range of most of the Islamic Republic’s missiles”, Iran’s state television Press TV reported.

A senior IRGC commander said Iran’s new Russian-made S-300 missile defense system would be operational by March.

“Its divisions are being delivered to Iran and the system will be operational by the end of this Iranian year,” the semi-official Tasnim quoted Amir Farzad Esmaili as saying.

Russia delivered the first part of the S-300 missile defense system to Iran in April, one of the most advanced systems of its kind that can engage multiple aircraft and ballistic missiles around 150 km (90 miles) away.

“Hezbollah has 100,000 missiles that are ready to hit Israel to liberate the occupied Palestinian territories if the Zionist regime repeats its past mistakes,” Tasnim quoted IRGC deputy head Hossein Salami as saying.

(Editing by Gareth Jones)

Hezbollah to send more fighters to Syria’s Aleppo

Hezbollah leader

BEIRUT (Reuters) – The leader of Lebanon’s Hezbollah movement said on Friday it will send more fighters to Syria’s Aleppo area, a battleground where it has suffered heavy losses fighting alongside Syrian government forces against insurgent groups.

Sayyed Hassan Nasrallah said thousands of Hezbollah’s Sunni militant foes had recently entered Syria via the Turkish border with the aim of taking over Aleppo and its surrounding countryside.

“We are facing a new wave…of projects of war against Syria which are being waged in northern Syria, particularly in the Aleppo region,” Nasrallah said in a speech broadcast live on the group’s Al Manar TV.

“The defense of Aleppo is the defense of the rest of Syria, it is the defense of Damascus, it is also the defense of Lebanon, and of Iraq,” he said.

“We will increase our presence in Aleppo,” he said. “Retreat is not permissible.”

Shi’ite, Iranian-backed Hezbollah has long supported President Bashar al-Assad against mostly Sunni insurgents.

Aleppo has been a focus of intensified fighting in the months since peace talks in Geneva broke down and a ceasefire deal brokered by Washington and Moscow unraveled. Russia intervened in the five-year-old conflict in September with an air campaign to support Assad.

“It was necessary for us to be in Aleppo … and we will stay in Aleppo,” Nasrallah said.

Aleppo city is split between government and rebel control. Russian and Syrian warplanes have pounded a road leading from the rebel-held areas north towards the Turkish border. That major rebel supply line from Turkey to Aleppo city was effectively cut by government advances earlier this year.

A pro-Damascus source recently told Reuters government forces and their allies are trying to encircle rebels in the Aleppo area. Assad, for whom the recapture of Aleppo would be a strategic prize, has vowed to take back “every inch” of Syria from what he calls terrorists.

Russia’s intervention has helped government forces and their allies advance against insurgents, and separately against Islamic State, in some areas.

But some of those battles have been costly, including around Aleppo.

Islamist insurgents including the al Qaeda-linked Nusra Front in May inflicted heavy losses on a coalition of foreign Shi’ite fighters including Iranians and Hezbollah members south of Aleppo.

Nasrallah said that 26 Hezbollah fighters had been killed in June alone, a rare acknowledgment of the toll their involvement is taking. Several of its senior military commanders have died in the Syrian conflict, alongside hundreds of fighters.

Nasrallah also denied Hezbollah was in imminent fiscal trouble as a result of a U.S. law targeting the group’s finances. The law, passed in December, threatens to bar from the American financial market any bank that knowingly engages with Hezbollah. It has ignited a standoff between Hezbollah, a dominant political force in Lebanon, and the Lebanese central bank.

(The story is refiled to change city to area in lead)

(Reporting by John Davison and Laila Bassam; Editing by Angus MacSwan)