Iran has erupted in protest after the brutal September 16th killing of Jina (or Mahsa) Amini. The Iranian government has had an extreme response: violent crackdowns, missile attacks on Iraqi Kurdistan, and a near-complete cutoff of its citizenry from any global communications. The reply from the Hacktivist community has been resounding. In part of the so-called “#OpIran”, websites and infrastructure have sustained intense cyber attacks.  Hackers have doxxed government officials and pro-regime celebrities. An important lifeline to the protest movement, these groups provided Iranian citizens with awareness of tools to continue reaching outside support and media while protecting their privacy.

The Killing Of Jina Mahsa Amini, Protests, And Response

Image originally taken from the Kurdistan Press Agency.

On September 13th, twenty-two year old Jina Amini (whose Persian first name was Mahsa), was arrested and killed in Tehran. Amini was of Kurdish descent, and her family lives in Saqqez, Kurdistan Province. Her arrest by the Islamic Republic’s Guidance Patrol and further transfer to the Moral Security Agency was allegedly for the “inappropriateness” of her outfit for wearing her Hijab “too loosely”.

Three days later, Amini was declared dead in an intensive care unit. The government officially claimed that Jina collapsed due to illness, and her cause of death was a heart attack. This claim was contradictory to eyewitness accounts and statements by her family that she was violently beaten in the police van.

Iranian State media immediately tried to publish the CCTV video supporting their claims. The video was published by controversial reporter, Ameneh Sadat Zabihpoor, who has been accused in the past of actively promoting disinformation and working with state police.

An aside: the CCTV video seems to keep getting taken down as misinformation, so the link may be broken by the time this is published.

The clinic where Amini was admitted posted to Instagram that she was brain dead on arrival, but the post has since been deleted.

Further evidence against the Iranian State’s claims was leaked by an unnamed hacktivist group that included the young woman’s CT scan and other medical documentation. 

On September 17th, before all of the details were even known, protests erupted within Iran, as well as the international Iranian community.

Photo originally from Agence France-Presse

International press has covered the extensive protests and extreme violence with which the Iranian government has responded. The response has included lethal attacks on Iraqi Kurdistan, Iran claiming that they were attacking “separatist terrorists” that were responsible for the recent uprisings.

The hashtag, #MahsaAmini, has become a viral beacon for demonstrations around the world, but the Iranian government has shown no sign of letting up. In an effort to silence the online movement, the government has attempted to shut off internet access, including blocking Instagram and Whatsapp services, to hide their violent response.

To follow one of the most targeted Instagram channels covering the protest movement, check out 1500tasvir.

Enter The Hacktivists

Within forty-eight hours of the shutdowns, the infamous hacking collective, Anonymous, declared war on the Iranian state. #OpIran began. Over the past several weeks, their efforts have spread across Telegram groups, Darkweb forums, and various social media platforms to not only offer a communication lifeline to the people of Iran, but have engaged in what’s appearing more like a wholesale cyber insurgency against Iran’s government.

As with Anonymous’ past operations, almost all of the work is done in a decentralized manner. A number of groups have carried out operations under the “#OpIran” moniker. Some of these are claiming to be affiliated with the Anonymous Collective, others are previously active “black hat” and “gray hat” hackers that have diverted some of their efforts for the time being. Through a 40,000+ strong Telegram chatroom and Twitter profiles such as @YourAnonOne and @YourAnonTV, Anonymous have tried to chart the collective efforts of the hacktivist community against the Iranian regime. The following are a handful of their linked resources and factions.

Dark Ghost:

One of the oldest running and higher profile groups that fly under the Anonymous banner, Dark Ghost (AKA GhostClan and GhostSquad) have been running operations since at least 2016 with their confirmed attacks against Ethiopia’s government. Dark Ghost is allegedly run by a user that identifies themselves as “s1ege”. 

Dark Ghost’s choice of targets prior to #OpIran run along ideological lines that may surprise some, among them the US military, ISIS, Donald Trump, and Black Lives Matter.

Dark Ghost espouse solidarity with minority groups the world over, claiming a mission to “…Be a shield against atrocities and voice for the voiceless.”

The GhostSquad have claimed to have successfully taken down the web servers of the government offices in Kuhdasht, the Maslahat mail service, and attempted to take down the website of Iranair.

Kromsecurity:

A newer entity within the Anonymous ecosystem, KromSecurity has recently been engaged with the diplomatic services of Russia and Belarus. They have also tried to expose vulnerabilities in Russian UAVs. The group was created in May of this year, seemingly associated with Spid3r, an operative who has conducted attacks against several governments, including Turkey, Nicaragua, Myanmar, Colombia, Peru, and Ecuador.

So far, Krom has successfully hacked the Iranian Assembly and leaked personal information of most Assembly members. Another successful data breach was conducted against Tehran’s Sharif University, where protestors were shot earlier this week. They have also taken down the website of state-aligned Farsnews.

Anonymous Vietnam:

Anonymous VietNam is an Anonymous-affiliated group that is outspokenly anti-racist. As the name may suggest, they appear to be based out of Vietnam, and despite being a recently formed group, have already found themselves in hostile entanglements with other hackers.

Throughout #OpIran, it seems that Anonymous VietNam has leaked a lot of valuable targeting data, including login credentials, device IP addresses at various email services, and taken out several Blogspot hosted sites associated with the regime.

In solidarity with protestors, the group has also released a number of security resources, including how-to guides for any would-be participants in the operation.

Atlas Intelligence Group:

Atlas Intelligence Group has been focusing on leaks of classified information from the Iranian government, and doxxing various government officials. They have taken credit for attacks on state media and radio stations, as well.

To help Iranians stay online, A.I.G have also made considerable effort to compile proxy resources and release them via their Telegram channel.

ARVIN:

ARVIN have directed most of their efforts towards exposing violence against protesters and delivering news from the disparate uprisings throughout the country. They’ve also been tracking the availability of network communications for regular citizens.

To assist those impacted by internet outages, ARVIN has opened up several VPN servers in order to bypass the regime’s censorship.

Hide01:

Hide01 (AKA RedBlue™) is an Iranian website dedicated to giving away free cybersecurity and hacking training to anyone who wants them. They actively promote hacking and hacktivist culture within Iran, and provide a number of darkweb and cryptocurrency resources to help users cover their tracks.

Through their telegram channel, they have provided their own list of proxy connection resources, including step by step instructions in a number of languages. Their website user base and Telegram groups have grown tremendously since #OpIran began.

Snowflake Proxy:

Diagram taken from Torproject.org

While not a specific group participating in the events of #OpIran, Snowflake is a proxy service developed as part of the TOR Project. It is a plugin compatible with operating systems on most devices that helps users around the world subvert restrictions on TOR browsers. This is extremely important in countries like Iran that do not allow users to connect to TOR networks or use VPNs. The Snowflake Proxy is said to be successful in every country it’s been used, except China.

It has been included in this list, as it’s one of the go-to options provided to Iranians by several of the above groups.

More To Come

#OpIran‘s combination of hostile actions towards a repressive government and intense focus on securing a pipeline of communication for everyday citizens echo efforts taken by Anonymous and other online communities during the height of the Arab Spring and #OpSyria.

If those events, and the constant displays of international solidarity the world has been witnessing on any given day are an indication, there will be a wealth more information to come out about these operations and those executing them in the next months. The increasingly aggressive crackdowns by Iran’s government, and the violence enacted against these protestors seems to only be accelerating the desire for action among the keyboard warriors of the world.

This article originally was supposed to be about Iranian cyber operations, as there was a lot to talk about this year, especially regarding exchanges between Iran and Albania. The topic of Iranian-based APTs continues to develop, and will be covered at a later date. Also importantly, this article did not mean to omit the deaths of Nika Shakarami, Hadis Najafi, and other victims that have been revealed as this story has spread. Mahsa’s death was highlighted, as it was the inciting incident of the hacktivism.