The Islamic Republic has reacted to domestic unrest with a new cyber campaign against dissidents in the Iranian diaspora, a cyber expert targeted by Iran told The Jerusalem Post on Friday.
Beyond targeting those vocal against the regime’s brutal treatment of protesters in recent weeks, UK-based Iranian opposition activist and independent cyber espionage investigator Nariman Gharib shared that members of the Syrian opposition, journalists, activists, and Israeli diplomats were being targeted.
Gharib’s confirmation came as activists and journalists have been reporting online that Islamic Republic agents have been posing as officials from Israeli media station ILTV News and well-regarded peace activists in the region.
Israeli-American ILTV journalist Emily Schrader confirmed she was among those targeted by the regime.
Gharib listed some of the other Israeli targets as Yesh Atid MK Moshe Tur-Paz, Deputy Consul-General of Israel in Dubai Dana Filber, and policy adviser Eyal David.
Schrader told the Post that this was not the first time the Islamic Revolutionary Guard Corps had targeted her, noting how it had earlier posed as Reuters and attempted to have her click a link for Google Meet. In another instance, Iran made a move to kidnap her from a fake women’s conference it staged in Amsterdam several years prior to that.
![Iranian flag and cyber code [Illustrative]](https://images.jpost.com/image/upload/f_auto,fl_lossy/c_fill,g_faces:center,h_537,w_822/433124)
Asked why they targeted her, Schrader answered that she was among the “most vocal voices on this issue in the State of Israel.”
Islamic regime attempts to send phishing email
The constant phishing attempts by Iran and plots to harm her have left Schrader extremely cautious, she said. She is unable to travel professionally to multiple countries, including the United Arab Emirates, the UK, and France, unless someone is sponsoring the cost of her security.
“There is tremendous pressure at all times,” she said, adding that she did not want to give the Islamic Republic the personal satisfaction of knowing how their threats have impacted her. It is for this reason, Schrader said, that she continues her work in journalism and hasbara – public diplomacy – despite the apparent risks.
“Anyone who is working on these issues cannot allow themselves to be silenced by sinister actors like the Islamic Republic,” she stressed.
Germany’s Federal Office for the Protection of the Constitution (BfV) confirmed to DW News, in an article centered on the regime’s targeting of exiled Iranians, that “transnational repression measures by Iranian intelligence services against dissident organizations and individuals from the diaspora include targeted espionage, discrediting, intimidation, threats, and even the use of violence.”
Gharib said he was first targeted by the IRGC in 2015 after Tehran arrested one of his friends at an airport in the capital. The regime attempted to send a phishing email from a friend’s personal device, seeking to access Gharib’s private information.
“The lesson here is that you must be extremely careful about who is sending you messages on WhatsApp, Telegram, or email, and what links you click,” he advised.
Gharib said he knew where the attacks were coming from as he had a “singular adversary” interested in him – the Islamic Republic.
“Western governments do not need to hack my phones to gather information about me. Even China and Russia have no reason to do so. This is the first step in attribution,” he noted.
“Understanding who is being targeted, whether an Iranian or Israeli journalist or activist, and for what reason, helps you identify the hacking group behind an attack.”
The next step in confirming the origins of attacks was to review published data from security researchers and cybersecurity professionals to match new data with past incidents, Gharib added.
Wary of claims that Tehran had purchased cyber weapons from Russia or China, Gharib said he believed most of the technologies Iran used were either developed domestically or purchased on the dark web and customized, making it easy for experts to identify the origins of attempted attacks.
Sharing his research, Gharib outlined how the Iranian regime hacks users’ WhatsApp, Gmail, and Telegram accounts despite two-factor authentication.
Using DuckDNS for infrastructure, the Islamic Republic sends links impersonating WhatsApp meeting invitations. It serves the user a live QR code that, when scanned, allows the regime to authenticate its own WhatsApp session. This specific hack enables hostile agents to snap photos from the victim’s device every five seconds, record audio in three-second chunks, and geolocate the device every two seconds.
The online publication TechCrunch also confirmed that DuckDNS was masking the actual phishing page, hosted on alex-fabow. online, and that the domain names mimicked those of private chat rooms. The site was able to confirm that hackers had targeted around 50 targets from the Kurdish community, as well as academics, government officials, business leaders, and other senior figures across the broader Iranian diaspora and Middle East.
Ian Campbell, a threat researcher at DomainTools, confirmed to the publication that most of the bogus sites had been set up between November and August last year, prior to the protests, and that the attacks seemed to be driven by a cyber motive.