Hacktivists seek to aid Iran protests with cyberattacks and tips on how to bypass internet censorship

Key Points
  • Protests erupted in Iran after the death of Mahsa Amini, a 22-year-old Kurdish Iranian woman who died after being held in custody.
  • The Iranian government disrupted internet connectivity and blocked access to social media services like WhatsApp and Instagram.
  • Anonymous and other hacking groups are organizing online to orchestrate cyberattacks on Iranian officials and institutions and help citizens bypass internet censorship.
An internet user purporting to be affiliated with Anonymous said the Iranian assembly had been hacked.
Jakub Porzycki | Nurphoto via Getty Images

Anonymous and other global hacking groups are engaged in a multipronged cyber assault on Iran, joining the fight with protesters on the ground in resistance to the country's strict hijab laws.

Thousands of amateur hackers have organized online to orchestrate cyberattacks on Iranian officials and institutions, as well as share tips on how to get around curbs on internet access by using privacy-enhancing tools.

Internet access in Iran has been extremely limited in recent weeks after protests erupted over the death of Mahsa Amini, a 22-year-old Kurdish Iranian woman.

Amini died in hospital in Tehran under suspicious circumstances on Sept. 16 after being detained by Iran's so-called "morality police" for allegedly violating the country's strict Islamic dress code by wearing her hijab too loosely.

Eyewitnesses say Amini was beaten by the police. Iranian authorities denied any wrongdoing and claim Amini died of a heart attack.

The Iranian Foreign Ministry did not reply to a CNBC request for comment. On Monday, Iran's supreme leader, Ayatollah Ali Khamenei, delivered his first public remarks on the protests, backing the police and blaming the unrest on "foreign interference" from the U.S. and Israel.

Doxing and DDoS attacks

On Sept. 25, Anonymous, the international hacktivist collective, claimed to have broken into the database of the Iranian Parliament, obtaining the personal information of lawmakers.

A YouTube account purporting to be affiliated with the group said the Iranian assembly had been hacked.

"The Iranian parliament supports the dictator when it should support the people, so we are releasing the personal information of all of them," they said, their voice altered in a way typical of the cyber gang.

On the messaging app Telegram, Atlas Intelligence Group, another hacking group, says it leaked phone numbers and email addresses of Iranian officials and celebrities, a tactic known as "doxing."

It also offered to sell apparent location data on the Islamic Revolutionary Guard Corps, a branch of Iran's armed forces, according to Check Point, which has been documenting hacktivists' efforts in Iran.

Anonymous-affiliated groups say they also released data purported to have come from various government services, ministries and agencies — as well as a university — and claimed responsibility for hacks on the Iranian presidency, central bank and state media.

While it is difficult to verify the hackers' claims, cybersecurity experts said they have seen numerous signs of disruption to Iran from vigilante hackers.

"We have observed a few indications of government websites being taken offline by hackers," Liad Mizrachi, security expert at Check Point Research, told CNBC. "Predominantly we have seen this being done through Distributed Denial of Service (DDoS) attacks."

In a DDoS attack, hackers overload a website with large amounts of traffic to make it inaccessible.

"Mandiant can confirm that several of the services claimed to have been disrupted have been offline at various points in time, and in some cases, remain unavailable," Emiel Haeghebaert, threat intelligence analyst at the cybersecurity company, told CNBC.

"Overall, these DDoS and doxing operations may add to the pressure on the Iranian government to pursue policy changes," he said.

On Anonymous' involvement, Haeghebaert noted it was "consistent with activity" previously credited to affiliates of the organization. Earlier this year, Anonymous launched a slew of cyberattacks on Russian entities in response to Moscow's unprovoked invasion of Ukraine.

Bypassing internet restrictions

Hacking groups are encouraging Iranian citizens to bypass Tehran's internet blockade by using VPNs (virtual private network), proxy servers and the dark web — techniques that allow users to mask their online identity so they can't be tracked by internet service providers (ISPs).

On the messaging app Telegram, a group with 5,000 members shares details about open VPN servers to help citizens to bypass Tehran's internet blockade, according to cybersecurity firm Check Point, which has been documenting hacktivists' efforts in Iran.

A separate group, with 4,000 members, distributes links to educational resources on the use of proxy servers, which tunnel traffic through a constantly changing community of computers run by volunteers to make it difficult for regimes to restrict access.

As dissent grew in the Islamic republic, the government quickly moved to throttle internet connectivity and block access to social media services like WhatsApp and Instagram, in an apparent effort to stop footage of police brutality being shared online.

At least 154 people have been killed in the Iranian government's crackdowns as of Sunday, according to the independent and nongovernmental Iran Human Rights Group. The government has reported 41 deaths.

Web security firm Cloudflare and internet monitoring group NetBlocks have documented multiple examples of disruptions to telecommunications networks in Iran.

"It's been really hard to be in touch with friends and family outside Iran. The internet is messed up here so sometimes we can't communicate for days," one young professional in Tehran told CNBC via Instagram message, requesting anonymity due to fear for his safety.

"I have limited access to Instagram so I use that for the time being," to contact people, he said, adding that he and his friends rely on VPNs to access social media platforms.

It is believed to be one of the worst internet blackouts in Iran since November 2019, when the government restricted citizens' access to the web amid widespread protests over fuel price hikes.

"THEY ARE SHUTTING THE INTERNET TO HIDE THE KILLING. BE OUR VOICE," several videos and posts widely shared by Iranian activists on social media read, along with footage of street protests and police violence.

Digital freedom activists are also trying to teach Iranians how to access the Tor browser, which lets users connect to normal websites anonymously so that their ISPs can't tell what they're browsing. Tor is often used to access the "dark web," a hidden portion of the internet that can only be accessed using special software.

"It is not the first time we see actors involved in Iranian affairs," Amin Hasbini, director of global research and analysis at cybersecurity firm Kaspersky, told CNBC.

Lab Dookhtegan, an anti-Iran hacking group, has been known to leak data claimed to belong to Iranian cyber-espionage operations on Telegram, for example. A report from Check Point last year detailed how Iranian hacking groups were targeting dissidents with malware to conduct surveillance on them.