World Tries To Shock Self With Iranian Cyber Army

A day is a long time on the internet, and an hour longer still for those Twitter users temporarily deprived of their favourite web platform for an hour or so yesterday (18 Dec, UK time). As we all know by now, Twitterers were redirected via a DNS hack to a webpage showing a banner proclaiming the arrival of new and mighty actor in cyberspace, the Iranian Cyber Army. I won’t rehash the details, as Praetorian Prefect has them all.

As I said on UK’s Channel 4 News last night (full interview here) we do not yet know who was responsible. My personal experience with the media yesterday suggests they really wanted to hear this was the work either of the Iranian government itself, or of Iranian pro-government hacktivists acting with or without state support. I refused to make such an assertion, or point the finger at anyone in particular.

Since then, Techcrunch (amongst many others) have revealed more details of how the actions were carried out, and there are strong signs that the culprit had legitimate Twitter log-in credentials to the Dyn DNS registry. The implication of the latter is that a Twitter employee’s username and password were used to access the system, allowing ‘whoever’ to amend Twitter’s DNS registration details. Dyn last night disabled access to their ‘e-mail based password reset system, to prevent compromise of customer login credentials via e-mail systems’, which gives some clues as to how this happened.

This doesn’t illuminate the question of ‘who’ much but does allow for the possibility that it was an ‘inside job’. I mention this, not because I think it was, but because insiders are far more likely to cause cybersecurity breaches than are outsiders. Let’s just keep the possibility on the table for now.

Prior to yesterday, the Iranian Cyber Army did not exist in name, not that I’ve been able to discern anyway. This doesn’t mean that this isn’t an individual or group by another name but that this particular manifestation is indeed new. Who they might be will remain disputed, no doubt.

Techcrunch asserts that the incident was definitely ‘part of a concerted effort across the Iranian government and military to take a stronger diplomatic stance against the United States and European Union in the lead up to negotiations on Iran’s nuclear plans.’ Their reasoning is spurious, based on unnamed ‘sources’ and a blind confusion between the possible and the probable. Talk about leaping to conclusions.

There is no evidence that this was the work of Iranian intelligence or military, or even of Iranians, in Iran or elsewhere. Sure, the banner was clearly thumbing its nose at the US, and was geared to look like a Shi’a statement, but that does not make it the work of Iran or Iranians. It was occasionally reported that the Arabic on the banner read, ‘Hezbollah will surely be victorious’, or similar. Again, not necessarily true. The line is from a Qur’anic ayat referring to those who belong to and follow the ‘party of God’; far from an explicit reference to Hezbollah, the Lebanese Islamist organisation, even if that too is where they got their name.

In a subsequent segment on the Channel 4 website, anchorman Alex Thomson asked – with a wry chuckle, it has to be said – whether the attacks were the result of ‘CIA dirty tricks’. I personally doubt this is a reasonable explanation either. The irony of using a Gmail address (iranian.cyber.army@gmail.com) would not be lost on Langley, although signing off with ‘Take Care’ might be a humorous step too far. Flippancy aside, this doesn’t feel right to be the work of a US intelligence agency.

Genuine hacktivism, government action, commercial disruption, a prank? We don’t yet know. My personal opinion is that it was pro-Iranian hackers, if only because it’s the most logical explanation at the moment. But I certainly wouldn’t exclude Iranian government involvement somewhere in the mix. The two do not preclude the other, of course, nor of additional economic factors either. As anyone with an interest in such things will tell you, purely linear explanations are losing their currency.

And what is the significance of the incident? Well, it’s somewhat contingent on establishing the ‘whos’ and ‘whys’, but the ‘how’ illustrates how effective this form of DNS hack can be; there will be more. Twitter will reassess their security procedures (again), conduct an internal enquiry, and roll on regardless. Iran will probably say little, if anything – whoever’s responsible, this serves their propagandist purposes well. Most of us will remain in the dark until the full story is told. And that may never happen.