IRAN 2022

Log4j: How hackers are using the flaw to deliver this new ‘modular’ backdoor Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point. APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.
Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell’s December 9 disclosure. ZDNet, January 12, 2022.

Biden Signs Memo on Cybersecurity President Biden signed a national security memorandum on Jan. 19 to bolster the cybersecurity of the National Security, Department of Defense and Intelligence Community systems. The memo directs national security agencies to adopt the same cybersecurity standards that earlier executive order 14028 imposed upon certain federal civilian agencies. The memo further authorizes the National Security Agency to issue binding operational directives requiring agencies to both identify their national security systems and take action to protect or mitigate against cyber threats targeting those systems. And the memo also requires agencies to “secure cross domain solutions–tools that transfer data between classified and unclassified systems.” You can read the memo here.

The Iranian MFA announced designations of 51 US citizens The Iranian Ministry of Foreign Affairs has announced (on the portal of the Ministry of Foreign Affairs – MFA – of the Islamic Republic of Iran) on the 8th of January, 2022, designations of 51 US citizens pursuant to the “Act on Countering Violations of Human Rights and Adventurist and Terrorist Actions of the United States of America in the Region” for their alleged role in the death of General Ghasem Soleimani and others. Those listed include former/current US government, military and CIA officials and personnel, as well as US government national security advisors and private business owners. This “in addition to the American individuals including Donald Trump[1], Michael Pompeo[2], John Bolton[3], Mark Esper[4], Gina Haspel[5], Christopher Miller[6] and Steven Mnuchin[7] and also Matthew Tueller[8], Steven Fagin[9] and Rob Waller[10] who were listed respectively on 19 January 2021 and 23 October 2020″, according to the MFA.

What Role Should Criminal Justice Play in Foreign Relations? What is the function of criminal justice in foreign relations? Consider the federal criminal case against Venezuelan President Nicolás Maduro. In March 2020, the U.S. Department of Justice publicly unveiled federal international drug trafficking charges against Maduro, just a month after President Trump had met with Juan Guaidó, the head of the Venezuelan National Assembly. The case played an ambiguous role in broader U.S.-Venezuela foreign policy. Some commentators believed that indictments were an integral part of the Trump administration’s “maximum pressure” campaign to cabin Maduro, a campaign that included sanctions and political recognition of Guaidó as Venezuelan president. At the same time, the criminal investigation clearly began during the Obama administration and thus potentially represented the natural culmination of years of prosecutorial efforts. How much control did the White House have over the case? How much should it have had?

US delays intelligence center targeting foreign influence As Russia was working to subvert U.S. elections and sow discord among Americans, Congress directed the creation of an intelligence center, the Foreign Malign Influence Center, to lead efforts to stop interference by foreign adversaries. But two years later, that center still is not close to opening, according to this article in AP News. Experts and intelligence officials broadly agree the proposed Foreign Malign Influence Center is a good idea. The U.S. has lacked a cohesive strategy to fight influence operations, they say, with not enough coordination among national security agencies. Adversaries that tried to interfere in the last two presidential elections continue to bombard Americans with disinformation and conspiracy theories at a time of peril for democracy in the U.S. and around the world. But the intelligence community and Congress remain divided over the center’s mission, budget and size, according to current and former officials. While separate efforts to counter interference continue, a person identified this year as a potential director has since been assigned elsewhere and the center likely will not open anytime soon.
The term “foreign malign influence” means any hostile effort undertaken by, at the direction of, or on behalf of or with the substantial support of, the government of a covered foreign country with the objective of influencing, through overt or covert means— (A) the political, military, economic, or other policies or activities of the United States Government or State or local governments, including any election within the United States; or (B) the public opinion within the United States.
The term “covered foreign country” means the following: (A) The Russian Federation. (B) The Islamic Republic of Iran. (C) The Democratic People’s Republic of Korea. (D) The People’s Republic of China. (E) Any other foreign country that the Director of the Center determines appropriate for purposes of this section.

Russia and Iran’s show of unity against the U.S. Iran’s president visited Russia this week on a visit Iranian officials called a “turning point” in their relations, as officials also announced a planned joint naval exercise that includes China for later this week. The visit by President Ebrahim Raisi to Moscow comes amid rising tensions between Russia and Western countries over Moscow’s troop buildup on Ukraine’s border, broadly seen as preparation for a possible invasion. Russia claims it has no plans to invade. In a speech (January 20, 2022) before Russia’s parliament, the Duma, Raisi accused NATO of expanding into “various geographical areas with new coverings that threaten the common interests of independent states.” Raisi and Russian President Vladimir Putin met at the Kremlin on Wednesday, but despite the red-carpet welcome, there were no substantial country-to-country agreements announced. “The significance of the trip at the moment is still mostly symbolic,” Alex Vatanka, director of the Middle East Institute’s Iran Program, told VOA. “There’s talk of closer military cooperation. There’s talk of strategic cooperation in the energy sector. We’ve heard this before. Time will show if any tangible deals can be reached.”

CreditPavel Bednyakov/Sputnik

In his only tweet about Raisi’s trip to Russia, Iran’s foreign minister, Hossein Amirabdollahian, was cryptic. “The presidents of the two countries agreed on a long-term roadmap,” he wrote, without clarifying what the map was about or whether an agreement was signed. During Raisi’s travels, Iranian state-run media reported planned joint naval exercises among Iranian, Russian and Chinese forces in the north of the Indian Ocean on Friday. Iran’s armed forces and Islamic Revolutionary Guards Corps will take part in the drills, an Iranian military official said. Iran became a full member of the Shanghai Cooperation Organization in September 2021, thanks to strong Russian support. You can read the VOA article (“Iran, Russia Tout Closer Ties Amid Tensions With Europe, US”) here.

Settlement Agreement between the U.S. Department of the Treasury’s Office of Foreign Assets Control and Sojitz (Hong Kong) Limited The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement on January 11, 2022, with Sojitz (Hong Kong) Limited (“Sojitz HK”), a Hong Kong, China-based company that engages in offshore trading and cross-border trade financing.  Sojitz HK agreed to remit $5,228,298 to settle its potential civil liability for apparent violations of the Iranian Transactions and Sanctions Regulations (ITSR).  The apparent violations occurred when Sojitz HK made U.S. dollar payments through U.S. financial institutions for Iranian-origin high density polyethylene resin (HDPE) from its bank in Hong Kong to the HDPE supplier’s banks in Thailand.  In doing so, Sojitz HK caused the U.S. financial institutions that processed the funds to engage in and facilitate prohibited financial transactions related to goods of Iranian origin.  The settlement amount reflects OFAC’s determination that Sojitz HK’s apparent violations were non-egregious and voluntarily self-disclosed, and accounts for Sojitz HK’s remedial response and cooperation with OFAC. For more information, please visit this web notice. 

Significant Cyber Incidents (CSIS) Below is a summary of incidents from the Center for Strategic and International Studies over the last year. For the full list, click here.

December 2021. Cybersecurity firms found government-linked hackers from China, Iran, and North Korea attempting to use the Log4j vulnerability to gain access to computer networks. Following the announcement of Log4j, researchers already found over 600,000 attempts to exploit the vulnerability.

October 2021. 1) A cyberattack targeted the government-issued electronic cards Iranians use to buy subsidized fuel and altered the text of electronic billboards to display anti-regime messages against the Supreme Leader Ayatollah Ali Khamenei. 2) A group with ties to Iran attempted to hack over 250 Office 365 accounts. All the targeted accounts were either U.S. and Israeli defense technology companies, had a focus on Persian Gulf ports of entry, or maritime transportation companies with a presence in the Middle East.

September 2021. Hackers obtained 15 TB of data from 8,000 organizations working with Israel- based company, Voicenter and offered the data online for $1.5 million. Some experts have stipulated the hackers have ties to Iran, but no link has been confirmed.

August 2021. Hacks initially attributed to Iran in 2019 and 2020 were found to be conducted by Chinese operatives. The cyberattack broke into computers across Israel’s government and tech companies.

July 2021. Iran used Facebook accounts to pose as recruiters, journalists, and NGO affiliates, targeting U.S. military personnel. The hackers sent malware-infected files or tricked targets into submitting sensitive credentials to phishing sites.

June 2021. The Iranian government launched a widescale disinformation campaign, targeting WhatsApp groups, Telegram channels and messaging apps used by Israeli activists. The campaign aimed to advance political unrest and distrust in Israel.

March 2021. 1) Suspected Iranian hackers targeted medical researchers in Israel and the U.S. in an attempt to steal the credentials of geneticists, neurologists, and oncologists in the two countries. 2) Suspected Iranian hackers targeted government agencies, academia, and the tourism industry in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE as part of a cyber espionage campaign.

February 2021. 1) Iranian hackers took control of a server in Amsterdam and used it as a command and control center for attacks against political opponents in the Netherlands, Germany, Sweden, and India. 2) Suspected Iranian hackers targeted government agencies in the UAE as part of a cyber espionage campaign related to the normalizations of relations with Israel. 3) Two Iranian hacking groups conducted espionage campaigns against Iranian dissidents in sixteen countries in the Middle East, Europe, South Asia, and North America.

An update on Aras Amiri The British Council says an Iranian employee who was accused of spying by Iran has been released from detention there and has returned to the UK. Aras Amiri had been acquitted of all charges by Iran’s Supreme Court following an appeal, the cultural organization said in in a statement. There was no immediate confirmation from the Iranian authorities. Ms Amiri, who worked in the British Council’s London office, was arrested in 2018 while visiting her grandmother. A spokesman for Iran’s judiciary announced in 2019 that an Iranian woman “in charge of the Iran desk at the British Council” had been convicted of spying by a Revolutionary Court and sentenced to 10 years in prison. He alleged that the woman had used contacts with arts and theatre groups to “influence and infiltrate” Iran at a cultural level, and that she had confessed to co-operating with British intelligence.


On November 16, 2019, CHRI published the article (“Aras Amiri Tried to Educate British People About Iranian Culture. Now She’s Serving a 10-Year Prison Sentence in Iran”). Headquartered in New York City, the Center for Human Rights in Iran (CHRI) is comprised of award-winning journalists, researchers and human rights advocates. Their staff collaborates with an extensive team of independent investigators, civil society activists and human rights defenders inside Iran, allowing CHRI to report on and document real-time, on-the-ground human rights conditions in Iran.

The hacker-for-hire industry is now too big to fail The spotlight is on the “hackers for hire” industry as never before, after a series of public scandals engulfed the billion-dollar Israeli company NSO Group, which sells hacking tools to governments. Last month, Facebook reported that seven hacker-for-hire firms from around the world had targeted around 50,000 people on the company’s platforms. The fact the investigation didn’t even mention NSO Group shows how vast the industry and its targeting are. While NSO Group’s future is uncertain, governments are more likely than ever to buy cyber capabilities from the industry it helped define. Business is booming for “hackers for hire” firms. In the last decade, the industry has grown from a novelty into a key instrument of power for nations around the world. While the industry’s earliest customers were a small set of countries eager to project power around the world through the internet, the situation is far more complex today. Billions of dollars are at play, but there’s very little transparency and even less accountability. The result is a growing crowd of countries willing to spend large sums to develop sophisticated hacking operations. Read the full story, written cybersecurity senior editor for MIT Technology Review, here. See also the March 2021 article “Inside Israel’s lucrative – and secretive – cybersurveillance industry”, published by Rest of the World.

The Top 10 Global Risks of 2022 According to this article in Time, a domestic focus for both the U.S. and Chinese governments lowers the odds of a big international conflict in 2022, but it leaves less potential leadership and coordination to respond to emerging crises. That’s bad news in a year that will be dominated by the COVID-19 pandemic, climate change, and a number of regional geopolitical crises.
1. No zero COVID
2. Technopolar world (The world’s biggest tech firms decide much of what we see and hear. They determine our economic opportunities and shape our opinions on important subjects. E.U., U.S., and Chinese policymakers will all tighten tech regulation this year, but they won’t limit their ability to invest in the digital sphere where they, not governments, remain the primary architects, actors, and enforcers. Tech giants can’t yet (and don’t want to) effectively govern the digital space or the tools they’re creating. Disinformation will further undermine public faith in democracy, particularly in the U.S. As tech firms and governments fail to agree on how to protect data privacy, cyber-security, and the safe and ethical use of artificial intelligence, U.S.-China (and, to a lesser degree, U.S.-Europe) tensions on these issues will grow.)

3. U.S. midterms 
4. China at home 

5. Russia 
6. Iran (Iran’s nuclear program is advancing rapidly. With diplomacy stalled, the Biden Administration has few options. Israel will increasingly take matters into its own hands—which once again raises the specter of Israeli strikes on Iranian nuclear facilities. These pressures will collide this year, leaving oil prices and regional states jittery, and increasing the risk of conflict.)
7. Two steps greener, one step back 
8. Empty lands
9. Corporates losing the culture wars 
10. Turkey 

Hackers Target Press Conference About C$107M Damages Award Against Iranian Government Hackers interrupted a video press conference Tuesday with the Canadian lawyers who successfully sued the Iranian government over the downing of a Ukrainian airliner near Tehran two years ago. The Ontario Superior Court had on Dec. 31 awarded C$107 million, including $100 million in punitive damages, to the families of six people who died when Ukraine Airlines Flight PS752 was shot down on Jan. 8, 2020. Justice Edward Belobaba had in May 2021 concluded that the Islamic Republic of Iran was civilly liable for shooting down the plane in an act of terrorism. Canada’s State Immunity Act and Justice for Victims of Terrorism Act allow civil claims against foreign states where the losses sustained were caused by the state’s “commercial activity” and, in more limited circumstances, “terrorist activity.” A few minutes into the Zoom briefing on Tuesday, lawyer Mark Arnold said that while he would not disclose how they could go after Iran’s leadership to collect on the judgment, they knew “where the Iranian assets are.”
“If anybody from the Islamic Republic of Iran is on this call, if the Supreme Leader is on this call, we’re coming after your assets, gentlemen in Iran. We would encourage you to contact us and cooperate with us so that we could do it in an efficient and timely manner,” said Arnold.
Moments later, clips of loud music with obscene lyrics, pornographic and violent images, and creepy illustrations of a dog and a doll with sharp teeth took over the call for about two minutes before the shocked lawyers hosting shut it down. More in this January 4, 2022 article in 

Iranians on #SocialMedia”: The only way to be heard A discussion surrounding the recently released report “Iranians on #SocialMedia” that explores the social media habits of Iranian netizens and how the Islamic Republic is repressing the online space. A reported 74 percent of Iranians over the age of eighteen use social media and messaging apps. Iranians use these apps for economic, entertainment, and sociopolitical purposes. Of utmost concern, aside from countless arrests for Internet activities and reoccurring Internet shutdowns during times of unrest, is a bill that may be implemented in mid-March that threatens to introduce increased restrictions on Iranian society. The so-called “Protection Bill” not only criminalizes circumvention tools like VPNs, but can potentially cut Iranians from the outside world.
How the Iranian government is fighting back (excerpt): Freedom House categorizes Iran as “not free” on its Global Freedom Score (16 out of 100) and Internet Freedom Score (16 out of 100)—the lowest rank among MENA countries. Since the 2009 Green Movement, the Islamic Republic views social media as a national security threat. “This seminal event realigned much of Iran’s national security forces and resources towards internet governments, policies, and laws,” wrote ARTICLE19 in its groundbreaking report,“Iran: Tightening the Net 2020 after Blood and Shutdowns.”Of note was the establishment of the cyber police (FATA) in 2010 to police the Internet, and the Supreme Council of Cyberspace (SCC), a top Internet-policymaking body created by the supreme leader in 2012. As a result, Iranian authorities have widespread control over 57.4 million Internet users.Not only have authorities blocked 35 percent of the world’s most-visited websites—including Facebook, Twitter, and YouTube—but they have also developed a Chinese-style “great firewall” of censorship. It is worth mentioning that while the Green Movement was a pivotal event in online censorship, as early as 2006–2007, authorities blocked the Google-owned social networking website Orkut—which Iranian users dominated—and MySpace. As academic Niki Akhavan reveals, the blocking of these two websites is telling of the Iranian government’s “awareness of social media’s rising popularity and potential for challenging the state” at the time. Numerous messaging and social media apps have come and gone over the years, including messaging app Viber, which was blocked by authorities in May 2014.By 2016, the two most popular apps were Instagram and Telegram. Moderate political candidates used both to attract votes in the 2016 parliamentary and 2017 presidential elections. They were deemed threatening enough for authorities to arrest twelve administrators of reformist-leaning Telegram channels just before the 2017 election.
Almost a decade after the Green Movement, in April 2018, authorities banned Telegram to “
protect national security.The move was prompted by December 2017–January 2018 protests, in which Iranians in more than eighty provincial towns and cities took to the streets in what became one of the most widespread protests since the 1979 revolution. Authorities believed the popular messaging app, which reportedly had forty million users right before the ban, incited people to protest.They cited the website and Telegram channel known as Amad News, which had 1.4 million subscribers and was run by France-based dissident journalist Ruhollah Zam, who used his account to expose the corruption of the clerical establishment and publish insider information due to family connections (his father was a prominent reformist cleric). Authorities alleged that Amad News helped coordinate protests, and even that it circulated a manual for Molotov cocktails. In 2019, the intelligence arm of the IRGC lured and kidnapped Zam from Iraq and shut down his Telegram channel. Zam was forced to confess under torture to a long list of allegations and was sentenced to death. He was executed on December 12, 2020. To counter Telegram, Iran released its domestic version known as Soroush (and later other apps, including: Bale, Gap, iGap, and Rubika).

Sticker packs offered in Soroush show emoji carrying pro-Khamenei signs / Screenshot/Al Jazeera

The move prompted many privacy and security concerns, with some Iranians resorting to humor to highlight the Big Brother aspect of such apps.Three weeks after the ban of Telegram, Iranian user levels returned to their pre-filtering numbers. Interestingly, a year after the Telegram ban, by April 2019, government agencies also returned to the app, including the Islamic Republic of Iran Broadcasting. As Radio Free Europe/Radio Liberty (RFE/RL) reported at the time, “One reason was Telegram’s effectiveness in disseminating information during devastating floods” that hit parts of the country in March 2019. 
In January 2021, the encrypted-messaging service Signal became the most recent app to be blocked. On January 14, 2021 authorities ordered that Signal be removed from Cafe Bazaar and Myket as users around the globe, including many Iranians,
migrated from WhatsApp to Signal due to privacy concerns.On January 25, 2021, Iranian users reported connection problems with the messaging app. In response, Signal tweeted, “Unable to stop registration, the IR censors are now dropping all Signal traffic. Iranian people deserve privacy. We haven’t given up.”According to an Al Jazeera report, Signal was intermittently blocked during 2016 and 2017, but didn’t have a substantial Iranian user base at the time. Where blocks on applications don’t work, cybercrime laws help tighten control over Iranian netizens. Under the guise of cybercrime laws, authorities have made countless arrests over the years for Internet activities, with the help of FATA’s forty-two thousand civilian “volunteers” who police the Internet. The exact number is uncertain, although in October 2018, Iran’s cyber police claimed it had arrested some seventy-five thousand people over an eight-year period for online activities—some merely for criticizing the government.The Human Rights Activists in Iran group reported that, between January 2017 and January 2021 alone, at least three hundred and thirty-two people were arrested just for their online activities; of that number, one hundred and nine were arrested for Instagram posts.The arrests tend to follow a familiar pattern. Instagram influencers are “harassed, arrested, and prosecuted by Iranian authorities, which activists say pressured them to ‘confess’ their alleged crimes, sometimes on state television.”
Although there are countless examples, some caught the attention of international headlines, given the preposterous nature of the charges. In 2014, six young Iranians were briefly imprisoned for posting a video of themselves dancing on Tehran rooftops and in an alleyway to Pharrell Williams’ hit song “Happy.”

A rooftop scene in the video “Happy We are from Tehran” / photo credit: YouTube Screenshot

Authorities at the time described it as an “obscene video clip that offended the public morals and was released in cyberspace.”The youth were handed sentences of up to one year in prison and ninety-one lashes, which were suspended for three years—in other words, the sentence wouldn’t be carried out as long as the accused didn’t reoffend. In 2016, FATA conducted a two-year “sting operation” that consisted of monitoring some three hundred Instagram accounts. At least eight people were arrested, including Instagram model Elham Arab, known for her wedding-dress shoots without hijab in full hair and makeup. The court charged the models with allegedly “promoting corruption” and “immoral and un-Islamic culture and promiscuity” and “spreading prostitution.” Arab later appeared on state television in a black chador and was forced to renounce her actions.In the wake of the crackdown, Instagram model and beauty influencer Elnaz Golrokh managed to flee Iran with her Iranian model boyfriend. Golrokh continues to be a beauty influencer and has 4.1 million followers, but works from Dubai. For more information, please see the Atlantic Council’srecently released report “Iranians on #SocialMedia” which explores the social media habits of Iranian netizens and how the Islamic Republic is repressing the online space.