Table of Contents

The history of Iranian offensive cyber operations has demonstrated that the same threat actors responsible for espionage against the private sector engage in surveillance of human rights defenders, and with considerably more success, given the latter’s resource constraints. Through the lens of such attacks, the relationship between Iran-originated cyber activities and the government as well as the motivations for such operations are made clearer. These communities foreshadow the tactics and tools that will be employed against other targets, and increased information will enable more effective education and mitigation strategies.

While the internet has afforded Tehran’s security agencies new possibilities for surveilling and intercepting the communications of its citizens, concurrent information technologies also limit the reach of the state. Iran was one of the first countries in the Middle East to connect to the internet, and as a result over half of the population was frequently using the internet as of March 2017.104 Iranian internet users have been quick to embrace social media and chat applications in large numbers as forums where there are more social freedoms.

As Iranian citizens have moved their communications to internet platforms hosted outside Iran and protected their communications from eavesdropping by using encryption, they have also evaded the more traditional means by which Iranian law enforcement and intelligence agencies perform surveillance.105 Whereas local hosting providers and social media could be compelled to remove content and disclose account ownership information, platforms hosted outside Iran are beyond the direct reach of the state.

The Iranian government has sought to compel foreign firms to comply with requests for user data, without great success.106 Domestic alternatives to foreign services, supported by the state under its national internet plan, have failed to attract significant adoption (Iranian officials themselves tend to use communication tools and social media applications developed in the United States).107 Moreover, millions in the Iranian diaspora—many of whom left Iran because of state repression—live in countries with no security cooperation agreement with Tehran and are less inclined to communicate over insecure Iranian platforms. As a result, in contrast to the first two decades after the revolution, Iranians’ communications and personal activities are increasingly out of the state’s reach. This dynamic has fundamentally altered the nature of state controls.

The Iranian government has struggled to respond to the challenges posed by the internet to the state’s information and communication monopoly. Among their first responses was mandatory content filtering, which entailed blocking access to any sites considered pornographic, antireligious, or politically subversive. With the increased availability of circumvention tools, however, filtering became less effective. Subsequently, basic offensive cyber operations, such as disrupting adversarial sites during the Green Movement, gave the regime the ability to reassert some control over information flows and project the illusion of the Islamic Republic’s dominance over the internet.

Iranian cyber operations are highly adaptable as the online platforms and tools used by the public change. For example, after Iranians shifted to Telegram because of its unfiltered public chat feature and security claims, so too did the attention of Iranian threat actors. Alongside credential theft operations targeting Telegram users, one threat actor appears to have gone as far as mapping all the Telegram accounts connected with Iranian telephone numbers. This information-gathering operation had deeper ties to efforts to target the chat application’s users and aligned with recurrent arrests of administrators from critical Telegram groups. This learning process is repeated elsewhere, including for mobile phones and Macintosh computers.108

Across discrete sets of threat actors and different periods of time, state-aligned offensive cyber operations routinely focus on similar classes of targets, primarily:

  1. Government officials
  2. Reformist politicians
  3. Media professionals
  4. Religious minorities
  5. Cultural figures
  6. Opposition groups, terrorist organizations, and ethnic separatist movements

Government Officials

Numerous Iranian threat actors have sought to compromise members of Hassan Rouhani’s government, the administration of former president Mahmoud Ahmadinejad, and the state’s bureaucratic institutions. The operations target not only government officials but also their relatives, including a sustained campaign directed against Rouhani’s immediate and extended family (particularly his brother and adviser, Hossein Fereydoun).109 Magic Kitten, the earliest known threat actor, from the outset engaged in intrusions of the Islamic Republic of Iran Broadcasting state television network and the Center for Strategic Research, the think tank research arm within the Iranian government’s Expediency Council that was headed by Rouhani at the time.

Campaigns targeting the Iranian government are ongoing. The targeting of members of government—individuals that have already been vetted by the regime—reflects the importance of cyber surveillance as a tool of the hardline security establishment to monitor potential rivals for power and accrue sensitive information about people’s lives that could potentially be used for blackmail or humiliation.

The Iranian Ministry of Foreign Affairs provides the most prominent and visible example of intergovernmental spying. Iranian diplomats have been frequent targets of spearphishing attempts conducted by IRGC-affiliated threat actors since the beginning of the Rouhani administration. These activities align with accusations in the hardline press that the nuclear deal betrayed Iranian interests.110 The hacking attempts also mirror a history of arrests and pressure brought to bear on members of the diplomatic service accused of spying, including the August 2016 detention of Abdolrasoul Dorri-Esfahani, who served on Iran’s nuclear negotiating team for the JCPOA.111 Whereas diplomacy requires interacting with officials from foreign governments and external experts, these contacts can quickly be portrayed as engaging in espionage for foreign powers.

While Foreign Minister Javad Zarif and other figures have been the targets of social media defacements and threats, the campaigns conducted by the indigenous threat actors outlined in this report differ in their intent from simple hacktivism or vandalism. The objective is the collection of personal information from private accounts on international platforms and the monitoring of intimate political and professional networks of government officials.112 These tactics include the typical credential theft attempts against personal email accounts seen elsewhere; however, special effort has been made to compromise government officials and their family members through elaborate deception and by using privileged resources.113 Once compromised, those accounts have been then turned on their diplomatic contacts and peers. Zarif, and other senior diplomats, have been repeatedly impersonated and targeted by different IRGC-affiliated threat actors, as early as 2013 and as recently as February 2017.114

The diplomatic core is not the only target of intragovernmental spying: several cabinet officials of the Rouhani administration have had their personal email accounts targeted and compromised.115 The cyber operations conducted by Iranian threat actors have extended beyond immediate members of government to target members of the Shia religious establishment, which undergirds the state’s ideology and political affairs. Campaigns have compromised multiple individuals located in Qom, the center of Iranian religious matters, including hosts within the Center for Services of Islamic Seminaries and Islamic Propagation Office of Qom.

Reformist Politicians

The accounts of Iranian reformers are a primary target for Iranian threat actors. Though reformers profess loyalty to the revolution and the Islamic Republic, they favor less state intervention in society and a less confrontational foreign policy, prioritizing the country’s national interests before revolutionary ideology. Consequently, they have been increasingly purged from Iranian politics and there is a media and travel ban against their most prominent leader, former president Mohammad Khatami (who served from 1997 to 2005).116

After the Green Movement, associates of the former reformist presidential candidates Mehdi Karroubi and Mir-Hossein Mousavi were aggressively targeted by the regime to try and stifle their activities, even those who had fled under threat of prosecution. Unwilling to allow a repeat of the Green Movement, the regime tightened information controls in the run-up to the 2013 presidential election of Hassan Rouhani. Access to popular anticensorship tools was cut off, and internet speeds were throttled until after the election results were announced.117 During this time, several Iranian actors began to concurrently target the accounts of Iranian political dissidents.118 Offline, the families of international Persian-language media employees were harassed, and reporters inside Iran were subject to censorship or arrest.119

One of the first known cases of politically motivated hacking in Iran was when the blog of Mohammad-Ali Abtahi, the former vice minister of the Ministry of Culture and Islamic Guidance under Khatami, was defaced after he wrote about the arrest of bloggers in 2005.120 Since then, Abtahi has been repeatedly targeted and impersonated by different Iranian threat actors in credential theft and social engineering operations.121 Abtahi’s experience is emblematic of such group’s priority on reformists. Public figures in the reformist movement from all different segments of society and politics have been targeted. Not only the overtly repressed activists connected to Khatami, Karroubi, and Mousavi but former government officials, religious scholars, politicians, and professors.

The cyber operations against reformists have been broad, successful, and frequent. One threat actor maintained access to a computer used by a reformist cleric and a deputy at a prominent Iranian university for months, watching him conduct political operations and media interviews.122 Similarly, in December 2015 the Facebook account of Gholam Ali Rajaee, a political activist close to former president Akbar Hashemi Rafsanjani, was used to spearphish the accounts of journalists and others.123 The previous year, that same threat actor, Rocket Kitten, had also successfully compromised a number of former parliament members and other reformists in the diaspora, some of whom were later arrested.

The cyber operations against reformists have been broad, successful, and frequent.

Young activists mobilizing for reformists were targeted with malware and credential theft operations in the lead up to the February 2016 parliamentary election, particularly those connected to female candidates. The targeting often aligns with offline pressure from the IRGC and Intelligence Ministry: when the office of one reformist close to Rouhani was raided in May 2017, he was targeted in repeated spearphishing attempts. Despite the ascent of moderates to more positions of power, reformists remain a primary target of the government’s cyber capabilities.

Media Professionals

Iranian cyber operations have repeatedly focused on journalists working with reformist media outlets and international satellite broadcasters that fall immediately outside the strict state-sanctioned narratives. Multiple Iranian threat actors conducted numerous credential theft attempts, using fake service notifications, against Iran-based foreign correspondents and Iranian journalists working for prominent publications such as Shargh and the Iranian Labor News Agency. Similarly, freelance reporters inside Iran are frequently compromised through fictitious personas that send them malware purporting to be news content. These campaigns have often targeted publications that would later be closed and journalists who would be detained by Iranian security forces. These incidents are also often timed with elections, normally periods when the government has more aggressively prosecuted journalists.

The case of Jason Rezaian, the Washington Post’s former correspondent in Iran, is illustrative of state-aligned threat actors’ focus on foreign press working in Iran. Before his arrest on July 22, 2014, and eighteen-month imprisonment by the IRGC, Rezaian had been the target of concerted intrusion efforts by Flying Kitten. The threat actor attempted to compromise Rezaian’s Hotmail and Gmail accounts on multiple occasions through credential theft attempts launched from fictitious security addresses; these attempts warned of spam being sent from the account and of other hacking threats. The emails were not themselves technically sophisticated, as the English used in the messages was poor and the approach was amateurish. However, the behavior in these incidents was unique in that Rezaian’s accounts were singled out from a small set of targets several months prior to his arrest.

Religious Minorities

Iranian religious minorities are obvious targets of the Iranian security forces, most notably adherents of the highly persecuted Baha’i faith, who have long been accused of promoting conspiracies against the Islamic government.124 With the widespread adoption of the internet, the Baha’i leadership, based mostly in the United States and Haifa, Israel, enjoyed new organizational and communication opportunities otherwise denied to them offline. Those same technologies, however, also gave the Iranian state new capabilities for intelligence gathering and propaganda dissemination against the Baha’i.

In April 2014, the Gmail account of a former director of external affairs for the U.S. Baha’i organization was accessed from inside Iran. The director had a history of international advocacy on behalf of the Baha’i Assembly that included testifying before Congress on the status of religious minorities in Iran. This made her a natural target for Iran. Fictitious LinkedIn and social media profiles previously employed against the U.S. defense industry, including one claiming to be former UN ambassador John Bolton, were used to target the Baha’i director with credential theft attempts posing as reports on religious persecution.

The ongoing targeting of the Baha’i and the defacement of their sites underscores the Iranian regime’s concern with organizations it perceives as subversive.

Prominent members of the faith, including the diaspora relatives of imprisoned Baha’i leaders in Iran, continue to be subjected to sustained cyber operations. Similarly, cutout groups as recently as February 2017 defaced Baha’i sites with pro-regime propaganda coinciding with events such as the anniversary of the Islamic Revolution. The ongoing targeting of the Baha’i and the defacement of their sites underscores the Iranian regime’s concern with organizations it perceives as subversive and its use of disruptive attacks to buttress the ideological agenda of the state.

The religious targets of Iranian cyber operations have not been limited to aggressively marginalized groups such as the Baha’is but also include recognized religious communities such as Christians, Jews, Zoroastrians, and Sunni Muslims. In one example, a mainstream Jewish community leader in Tehran was compromised through malware and surveilled as he went about coordinating events and managing a local religious publication. Still other spearphishing campaigns have routinely targeted evangelical Christian converts, atheists, or new age religious sects. More broadly, a malware campaign posing as information on the persecution of Christian converts was sent to human rights organizations, and fictitious profiles have posed as religious minorities to infiltrate evangelical Persian-language networks.125

Cultural Figures

Iran-originating spearphishing campaigns have also targeted Iranian cultural figures—including artists, musicians, comedians, cartoonists, and satirists—regardless of whether they reside in Iran or abroad.

These campaigns have included the targeting and compromise of social media and email accounts for the Germany-based musician Shahin Najafi, multiple pop stars that left Iran after the Islamic Revolution, a Persian-Israeli singer, and an Iranian-born female metal musician based in the United States, among others. There have also been intrusions into devices and accounts associated with less prominent underground artists inside Iran and networks of fictitious social network profiles connected with Iranian death metal rock bands and hip-hop groups. These themes of targeting famous pop musicians and their staff—both inside Iran and abroad—are recurrent and do not focus solely on individuals critical of the establishment.

Iranian security forces have publicly acknowledged their operations to identify individuals involved in “immoral behavior” online. In January 2016, several Iranian fashion models popular on social media were arrested for their activities online and forced to delete their accounts, an effort labeled by the IRGC as Operation Spider. At the same time, the arrests of employees of the foreign-based AAA Music television channel led to their social media accounts being defaced with a message, purportedly from the Ministry of Intelligence, about the illegality of the network. In interviews with and public statements by those rounded up in Operation Spider, these individuals were commonly operating openly, and the defacements were conducted after they were forced to hand over passwords.

Operation Spider was not the first of its kind: the activities of Flying Kitten suggest an earlier interest in surveillance of the Iranian fashion industry.126 In early 2014, the threat actor compromised the computer of a social media model that was popular for portraying a fashionable lifestyle without wearing the state-mandated hijab.127 After the intrusion she retreated offline, stopped logging on to modeling sites, and deleted her Facebook account. Her image was also appropriated for further operations against other communities. The opaque nature of campaigns such as Operation Spider obscures how Iranian authorities track down people like online models. However, incidents such as the Flying Kitten compromise and the infiltration of LGBT-support networks and sex worker social media communities by others suggest a relationship between both efforts.

Opposition Groups, Terrorist Organizations, and Ethnic Separatist Movements

Despite its labeling of civil dissent as a threat to national security, Iran does face real threats of terrorism and organized crime from nonstate actors, evidenced by the self-proclaimed Islamic State’s June 2017 attacks on its parliament and the mausoleum of former Iranian supreme leader Ayatollah Ruhollah Khomeini. While documentation of Iranian cyber operations by international researchers has typically assumed that all domestic targets of intrusion campaigns are political dissidents, a small portion of these campaigns focus on areas in which law enforcement hacking has become internationally normalized, chiefly in the collection of evidence and intelligence on violent terrorist activities and financial crime.

For instance, Iranian threat actors have actively sought to compromise the digital operations of Sunni jihadi movements through credential theft, malware, and other intrusions.128 To compromise Islamist organizations, Iranian actors have leveraged bait documents and messages in Persian and Arabic and posed as media organizations such as Al Jazeera and Al Arabiya. Flying Kitten attempted to spread malware by posting comments on Al Arabiya’s Facebook page purporting to promote jihadism. These intelligence efforts have targeted jihadi groups across the Middle East and North Africa, Pakistan, and Afghanistan, including the Islamic State and al-Qaeda, while focusing on Iraqi and Persian-language groups.129

Security-related cyber operations extend as well to fringe political organizations that have previously engaged in hostilities against the Islamic Republic.130 Iranian threat actors have successfully compromised individuals affiliated with front groups for Mojahedin-e Khalq (MeK) opposition group, including the Iranian American Society of Texas and the Simay Azadi television station. These intrusions provided access to private Facebook discussion groups and intra-organizational planning for MeK rallies, Telegram channels, and MeK television programming. Given the MeK’s past disclosures on Iran’s nuclear program, which the organization has claimed were conducted through an in-country network of collaborators, these activities also constitute a counterespionage program.

Iranian threat actors also maintain a significant focus on disenfranchised ethnic minorities advocating for greater autonomy. One recurrent target has been Baluchi groups, a Sunni Muslim population located in both Iran and Pakistan. The news outlets and social media accounts of Baluchi militant organizations, such as Jundallah, have repeatedly been targeted by Tehran. These operations include breaching multiple Jundallah affiliated sites as early as July 2010 to push malware to their visitors, a “watering hole attack” designed to surveil violent separatists that would be of interest to Iranian security agencies.131 In other cases, from a different threat actor, Jundallah was targeted using malware hosted on domains purporting to be related to the Free Syrian Army and sent in emails claiming to provide documentation of attacks against the IRGC.

The internet has increased the Iranian government’s opportunities for surveillance and repression against foreign-based operations.

Tehran has also devoted considerable resources to cyber operations targeting Kurdish organizations inside Iran and abroad. Malware samples from April 2015 targeted the Free Life Party of Kurdistan (PJAK), a militant Iranian faction of the Marxist-Leninist Kurdistan Workers’ Party (PKK).132 The same threat actor appears to have successfully compromised a Kurdish satellite television station, Newroz TV, aligned with the PKK. Newroz TV was also compromised by the Flying Kitten malware in 2014, indicating an overlap not only in the threat actors’ mandates but also in their exact targets. Still other groups have used fictitious LinkedIn profiles to connect to representatives of the Kurdistan Regional Government in Iraq. Judging from computer names and other indicators, many more of those compromised by Iranian malware were in Iran’s Kurdistan province, while others were found in Iraqi Kurdistan, or among the Kurdish population in Europe.

Civil Society

The internet has facilitated communication and organization between Iranians and foreign and diaspora organizations, but it has also increased the Iranian government’s opportunities for surveillance and repression against foreign-based operations.

Though many foreign civil society organizations have been the subject of sustained attempts at infiltration and disruption by Iran, few appear to have incurred attacks of such persistence and aggression as those against the Eurasia Foundation, an NGO in Washington, DC, that conducts development programs in former Soviet countries, the Middle East, and China. As part of its Iran-focused social development programs, the Eurasia Foundation in October 2009 launched the Khorshid School of Entrepreneurship, which promoted women’s entrepreneurship through distance learning courses and the creation of professional networking opportunities.

Eurasia Foundation’s programs and organizational history connect closely with Khamenei’s fears of a Velvet Revolution. It would later launch several more online Persian-language programs covering a range of issues, from social entrepreneurship to family law. The first intrusion attempt occurred shortly after an article was published in the hardline Iranian newspaper Kayhan in February 2014. It accused the Eurasia Foundation of engaging in social engineering by establishing networks of women and teachers to foment grassroots economic, political, and social pressure on the regime—all under the direction of the U.S. Agency for International Development and the U.S. State Department. Ten days after the article appeared, Flying Kitten began its spearphishing campaign against the Eurasia Foundation. For the next two years, the Eurasia Foundation would continue to be the target of malware, credential theft, and social engineering by diverse threat actors with diverse strategies.133

The campaign against the Eurasia Foundation is emblematic of Iran’s long and ongoing history of cyber operations against U.S.-based NGOs. U.S. think tanks have been a focus of interest, with targets such as the American Enterprise Institute and the Council on Foreign Relations singled out by multiple Iranian threat actors. The same Iranians that targeted the Eurasia Foundation in December 2015 also impersonated the network administrators at multiple Washington, DC, foreign policy institutions critical of the Iranian government to compromise employees.

Nor are these efforts directed only at Iran’s detractors. Organizations advocating improved relations with Iran or nonpolitical researchers have been routinely targeted—the common denominator appears to be simply a policy interest in Iranian affairs.

Notes

104 “Iran Telecoms, Internet Report 2016-2017,” Financial Tribune, April 26, 2017, https://financialtribune.com/articles/economy-sci-tech/63062/iran-telecoms-internet-report-2016-17.

105 For example, the mobile chat applications and voice over internet protocol (VOIP) services, such as Viber, Skype, and Telegram, that became popular replacements for standard telephony and text messaging bypass the lawful interception capacities traditionally embedded in phone systems.

106 One significant example is Telegram, which has reached over 40 million users in Iran as of 2017. As a result of its use of encryption, it is not susceptible to the filtering of specific content or keywords. While both Iranian authorities and Telegram have never been fully forthcoming about their relationship, it is clear that the former has attempted to incentivize and threaten Telegram into complying with requests for the removal of content—including briefly blocking the service in October 2015. While it appears that Telegram does take down pro–Islamic State content, it has not thus far complied with other requests.

107 Collin Anderson, “How Iran Is Building Its Censorship-Friendly Domestic Internet,” Backchannel (blog), Wired, September 23, 2016, backchannel.com/how-iran-is-building-its-censorship-friendly-domestic-internet-11db69aae96d.

108 Joseph Menn and Yeganeh Torbati, “Exclusive: Hackers Accessed Telegram Messaging Accounts in Iran—Researchers,” Reuters, August 2, 2016, http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM.

109 Fereydoun has been the target of a corruption investigation, which has been perceived as an attempt to undermine Rouhani. Regardless of the legitimacy of these claims, the attempts against Fereydoun began early in Rouhani’s first term and targeted his family. This extended into impersonating Zarif to target Fereydoun and vice versa. The long-term focus suggests the targeting was related to politics rather than the criminal investigation.

110 Aresu Eqbali, “Back Home, Iran’s Leader Tries to Sell Nuclear Deal,” Wall Street Journal, July 16, 2015, http://www.wsj.com/articles/back-home-irans-leader-tries-to-sell-nuclear-deal-1437081590.

111 Aresu Eqbali and Asa Fitch, “Iran Accuses Man Involved in Nuclear Deal Negotiations of Spying,” Wall Street Journal, August 28, 2016, https://www.wsj.com/articles/iran-accuses-man-involved-in-nuclear-deal-negotiations-of-spying-1472416462.

112 Hanif Kashani, “Zarif, Attacked But Unscathed,” Iran Wire, September 17, 2013, https://en.iranwire.com/features/2665/.

113 Such as the use of mobile phone interception to capture login credentials for Telegram and Google accounts. In other cases, elaborate ruses appeared to be set up based on private political information in order to convince the target to run malware.

114 Based on data acquired through forensic investigations of Flying Kitten and Charming Kitten’s credential theft campaigns.

115 On April 19, 2016, the Google and Facebook accounts of Shahindokht Molaverdi, at that time Iran’s vice president for Women and Family Affairs, were compromised by Rocket Kitten in order to conduct a spearphishing campaign against women’s rights activists.

116 The ban was imposed in February 2015. “Rouhani and Judiciary Clash Over Ban on Publishing Images of Former President Khatami,” Center for Human Rights in Iran, December 21, 2015, https://www.iranhumanrights.org/2015/12/khatami-media-ban-and-etelaat-newspaper/ .

117 Collin Anderson, “Dimming the Internet: Detecting Throttling as a Mechanism of Censorship in Iran,” arXiv.org, June 18, 2013, http://arxiv.org/abs/1306.4361.

118 Specifically, Flying Kitten, Infy, and Magic Kitten.

119 “Iran Accelerates Crackdown on Media and Dissidents Prior to Election,” International Campaign for Human Rights in Iran, June 10, 2013, https://www.iranhumanrights.org/2013/06/iran_election/

120 Parthisan, “Abtahi's Blog Was Hacked for Revealing Torture Details,” Persian Students in the United Kingdom, January 2, 2005, hosted by Internet Archive, https://web.archive.org/web/20050123083526/http://www.persianstudents.org/archives/001269.html.

121 Based on observation of the Rocket Kitten’s social engineering attempts against foreign human rights activists that appeared to use a breached account belonging to Abtahi.

122 Based on data acquired from a malware command and control server found through forensic investigation of Flying Kitten activity.

123 Gholam Ali Rajaee, “Warning!” (in Persian), December 27, 2015, http://www.gholamalirajaee.blogfa.com/post/1152/%D9%87%D8%B4%D8%AF%D8%A7%D8%B1.

124 “Iran: Baha’is Educating Their Youth Is a ‘Conspiracy’ Against the State,” Baha’i World News Service, July 27, 2011, http://news.bahai.org/story/843 . In response to this persecution, the Baha’i community has become particularly adept at using the internet for international advocacy and countering exclusion, including offering online distance learning classes from the Baha’i Institute for Higher Education.

125 The Infy malware agent, as directly observed in January 2016.

126 Shima Shahrabi, “Iran’s New Criminals: Fashion Models,” Iran Wire, February 2, 2016, https://en.iranwire.com/features/7058.

127 Based on data acquired from a malware command and control server found through forensic investigation of Flying Kitten activity.

128 FireEye (through its iSIGHT Partners) has also noted that threat actors focused on the Islamic State as the militant group was expanding its territory across Iraq, an interest expressed by the threat actors well before 2015. David E. Sanger and Nicole Perlroth, “Iranian Hackers Attack State Dept. via Social Media Accounts,” New York Times, November 24, 2015, http://www.nytimes.com/2015/11/25/world/middleeast/iran-hackers-cyberespionage-state-department-social-media.html.

129 In one case a shared computer in Erbil, Iraq, used by a Kurdish supporter of a Jordanian jihadi figure was compromised through the malware, which was delivered as personal pictures sent by a fictitious female social network profile. The same group maintained phishing sites with hard-coded references to Facebook pages associated with the Islamic State’s “Ministry of Information,” Tunisian Islamic Awakening, Lashkar-e-Khorasan (Pakistan), and al-Qaeda affiliates, among other Islamist movements. This targeting was broad, but more effort was spent on Persian-language or Iran-oriented actors, targeting Facebook pages as small as one with five members and one public post, a “Salafe Kurdistan” page.

130 The operations reflect old rivalries from the Islamic Revolution being played out, as Flying Kitten sought access to accounts and sites associated with Marxist-Leninist Fedaian and other Communist parties as well.

131 Some of the first observed operations of the Infy group targeted Taftaan News Agency and the Jonbesh­e Moqavemat­e Mardomi­e Iran separatist group, and compromised computers in the province of Sistan and Balochistan over the course of several years. Shortly after the suspected time of intrusion, at least one of the affected blogs warned its visitors that an old email address connected to the site had been compromised by Iranian intelligence agencies. The following day the administrators closed the site, claiming technical issues.

132 Several Infy malware samples had names such as “pjak.pps” and other references to Marxist ideologies (such as “kargar.pps,” or “worker”).

133 For example, current and former employees of the organization, both with the Iran Program and general operations staff, have been engaged by several fictitious personas on LinkedIn and Facebook, including the persona “Victoria Roberts,” the LinkedIn profile name described earlier as connecting predominantly with defense companies. The existing networks of these profiles reflect a specific interest in the American foreign policy establishment, international development programs, and the defense industrial base.