Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Hackers spied on Iranians using fake Google certificate

About 300,000 Iranians had their Gmail accounts compromised and their messages read by hackers, according to a forensics firm that has investigated the theft of hundreds of digital certificates from a Dutch company.

Although the report did not identify the hacker, or hackers, who may have spied on the Iranian users, security researchers have pointed to Iran's government, which has been linked to other attempts to intercept the communications of activists and protesters.

The report was issued Monday by Fox-IT, a digital investigative company that was hired by DigiNotar after the latter's servers were hacked and more than 500 Secure Socket Layer (SSL) certificates were fabricated by intruders. Among the certificates were several that could be used to impersonate any Google site or service, including Gmail.

SSL certificates are used by websites and browsers to identify a site as legitimate and can be abused to disguise unauthorized domains using "man in the middle" attacks.

Fox-IT said that approximately 300,000 IP addresses, each representing at least one computer and so at least one user, had accessed sites displaying a fake certificate for google.com between July 27 and Aug. 29. Nearly all -- Fox-IT said 99% -- of those IP addresses originated in Iran.

Investigators assumed that the google.com certificate was used primarily to spy on Iranians' Gmail accounts.

"Using this [Gmail authentication] cookie, the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored emails," said Fox-IT. The hackers could also use the same credentials to log onto other Google services, including Google Docs and Google Latitude -- in the latter case, to identify the exact location of the victim -- and hijack Facebook and Twitter accounts.

The report confirms what Google said last week, when it acknowledged that Gmail users had been attacked and said "the people affected were primarily located in Iran."

Fox-IT posted a simulation of the traffic that went through the fake google.com domain on YouTube to illustrate Iran's dominance.

While Fox-IT did not accuse the Iranian government of conducting or sponsoring the attack, it made clear the motivation behind what it called "Operation Black Tulip."

"The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private information in Iran," the company said in its report.

Some security researchers have suspected that Iran's government was behind the certificate theft and subsequent attack since news broke a week ago. The Fox-IT report only reinforced their beliefs.

"This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian Internet users," said Chet Wisniewski, a security researcher at U.K.-based Sophos, in a blog post Monday.

In a letter to the Dutch parliament made public Monday, the ministers of the Interior and Security and Justice said the government was investigating DigiNotar for possible negligence.

Fox-IT's reports painted a bleak picture, saying that DigiNotar was unaware for weeks that hackers controlled its servers, that the server software was outdated and unpatched, and that it was not protected by antivirus software, which would have sounded the alert when the intruders planted malware on the machines.

And the attacks against DigiNotar continue, the report said.

"Current analyses still show hacking attempts on the Web server originating from Iran," Fox-IT said.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Facebook, Google, Socket, Sophos, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security
Latest Blog Posts
Whitepapers
  • Five Things You Need to Know About Your Users Before You Deploy Business Intelligence
    In our years of experience working with companies of all types and sizes to design and deploy business intelligence systems, we’ve learned that there are five key things you need to know about your users before you roll out related technologies to them. In this paper, we will discuss these five things, as well as their implications.
    Learn more »
  • 8 reasons why Citrix NetScaler beats the competition
    Application delivery controllers (ADC) are one of the most critical elements of cloud infrastructures and enterprise data centre architectures. ADCs strongly impact performance, scale and security of the entire application environment, so it is extremely important for IT leaders to choose the right one.
    Learn more »
  • Fixing Your Dropbox Problem - How the Right Data Protection Strategy Can Help
    It’s estimated that more than 50 million people have used public cloud storage services such as Dropbox to share and exchange files. Public cloud services are so easy to use that their openness can undermine existing IT policies regarding the transmission of confidential data. With data volumes threatening to overwhelm onsite storage, IT managers are looking to find a solution that’s affordable and secure. This paper details a simple three-step approach to helping users manage access to the public cloud without placing your data or your business at risk. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments