CircleID

By utilizing the people's information warfare concept, Iranian opposition has managed to successfully organize a cyberattack against Tehran's regime (complete analysis) by using Twitter, web forums, and localization (translation) of the recruitment messages in order to seek assistance from foreigners.

So far, their rather simplistic denial of service tools has managed to disrupt access to key government web sites, and the intensity of the attacks is prone to increase since the opposition appears to be in a "learning mode".

What does "learning mode" stands for here? It's their current stage of experimentation clearly indicating their inexperience with such campaigns and DDoS attacks in general. The opposition's de-centralized chain of command isn't even speculating on the use of botnets, since the primitive multi-threaded Iranian connections hitting Iranian sites seems to achieve their effect.

From a strategic perspective, this internal unrest resulting in the disruption of key government web sites, the de-facto propaganda vehicles of the current government, is directly denying their ability to influence the population and the media, which on its way to find information is inevitably going to visit the working opposition web sites.

Moreover, the majority of people's information warfare driven cyberattacks we've seen during the past two years, have all been orbiting around the scenario where a foreign adversary is attacking your infrastructure from all over the world. But in the current situation, it's Iran's internal network that's self-eating itself, where the trade off for denying all the traffic would be the traffic which could be potentially influenced through PSYOPs (psychological operations).

What has changed since yesterday's real-time OSINT analysis? The web based "Page Rebooter" tool heavily advertised by the opposition has decided to stop offering the service due to the massive abuse:

"Unfortunately I have had to take the site down temporarily. The site was being used to attack other websites, until I can determine the source of these attacks, I have decided to keep it offline. My apologies to everyone who uses this site for it's intended purpose, hopefully we'll be back soon. I have now received several emails regarding this. Unfortunately, last night's spike in traffic cost me a lot of money in server costs, I therefore cannot afford to keep it online — even if the use is just. I have therefore decided to release the code for this site, so that you may create your own copies."

Meanwhile, the opposition has come up with a segmented targets list including hardline news portals, official Ahmadinejad sites, Iranian law enforcement sites, banks, judiciary and transportation sites, aiming to recruit international supporters:

"ALL PEOPLE AROUND THE WORLD:

Please help us in a full-scale cyberwar against the dictatorial brutal government of Ahmadinjead! Help Iranians to earn back their votes per instructions below:

Simply click on few of the following links (better too choose your selections from different categories); it opens the site in a new tab. It will not stop you from browsing but by sending a refresh signal to the target site will saturate it. By doing so, we can block Ahmadinjead's governments flow of information in many of its key components as shown below. Please help us and yourself from this lunatic who will push the world to world war III.”

Following the updated list of targets, a new LOIC.exe DoS tool is being advertised. The tool is however, anything but sophisticated (it's been around since 6 Jul 2008) compared to even the average Russian DDoS bot. Combined, the simplistic nature of the opposition's attack tools indicates the lack of any in-depth understanding of information warfare principles, in times when other countries are already going beyond cyber warfare and aiming for the unrestricted warfare stage.

The Conspiracy Theory and the Facts

How is the Iranian government/regime responding to these attacks, is it striking back to the fullest extend speculated in a countless number of cyber warfare research papers? Moreover, can it actually attack the "adversaries" which in this case reside within the country's own network? Can we easily compare this unpleasant situation from an information warfare perspective to the ongoing discussions whether or not the Should the US Go Offensive In Cyberwarfare?, and "go offensive" against who at the first place? The hundreds of thousands of U.S based malware infected hosts operated by a foreign entity as the adversary while using the targeted country's infrastructure as a human shield?

That's a dilemma that Iran's government is currently facing, but let's connect the dots and prove that the Fars News Agency which is pro-Ahmadinejad, and maintains ties to the Iranian judiciary, has in fact participated in this "cyber warfare attack with sticks and stones”.

The Fars News Agency has been under attack since the beginning of the campaign, approximately 48 hours ago, prompting the site — just like many others — to switch to "lite" versions taking into consideration the ongoing attacks wasting the sites' bandwidth.

In a desperate attempt to influence the outcome of the DDoS attack, Fars News included iFrames pointing to opposition and anti-Ahmadinejad news sites (balatarin.com; ghalamnews.com and mirhussein.com) in order to redirect some of the attack traffic to them. The campaigners noticed the change, but upon confirming that the opposition's web sites remain online even with the iFrames in place, decided to continue the attack.

The bottom line — when your very own infrastructure hates you, you become nothing else but an observer to the declining propaganda exposure projections that you've once set, failing to anticipate the fully realistic scenario when the adversary that you've been fortifying to protect from, or have build sophisticated offensive capabilities to deal with, is in fact residing within your own infrastructure. Attempting to attack him or shut him down will only multiply the effect of his original campaign.

The net is vast and infinite.

By Dancho Danchev, Independent Security Consultant. Visit the blog maintained by Dancho Danchev here.

Related topics: Cyberattack