Iran devising phone apps for ‘mass surveillance’ of dissidents, new report says

Iran’s intelligence services have “significantly accelerated” spying on their own citizens in the wake of anti-regime protests that rocked the nation, according to an extensive investigation released Thursday by a leading Iranian exile dissident group.

The Paris-based National Council of Resistance of Iran, relying on what it says include sources inside the government, contends the country’s Islamic Revolutionary Guard Corps and Ministry of Intelligence and Security are engaging in “mass surveillance” of protesters and dissidents by employing a web of state-produced mobile phone apps.

Just days after U.S. intelligence warned in its annual “Worldwide Threat Assessment” of increased cyberthreats emanating from Iran, the NCRI report said the Islamic Revolutionary Guard Corps has so successfully deployed its social media spyware that millions of users outside Iran could be exposed to it.

While not immediately verifiable, the assertion marks the latest push by the NCRI, which also has a U.S. branch, to expose what it says are authoritarian and nefarious activities by Tehran. The Iranian regime, in turn, accused the group of having a hand in stoking violent street protests against economic conditions in recent months.

Although the NCRI has had at times a contentious relationship with Washington, it is believed to have deep sources in Iran and is credited with major revelations — particularly in exposing secretive Iranian nuclear facilities in the early 2000s.

The report released Thursday says an internal network of sources tied to the People’s Mujahedeen Organization of Iran or MEK — the principal member of the NCRI — has uncovered the regime’s use of “mass surveillance through malicious codes embedded in IRGC mobile apps to actively disrupt the communication of protesters and dissidents.”

“IRGC front companies are developing spyware-enabled apps for cybersurveillance and repression,” the report said. Some of the apps have succeeded in penetrating platforms promoted by Google and Apple and are tied to Telegram — the globally popular, cloud-based encrypted instant-messaging service that was heavily used in the recent demonstrations.

“Ironically, some of these spyware-enabled apps are available on Google Play, Apple Store, and GitHub, potentially exposing millions of users worldwide to the IRGC’s spyware and surveillance activities,” the report said.

“The IRGC has weaponized Western cybertechnology to target its own people,” said Alireza Jafarzadeh, deputy director of the NCRI’s Washington office. “The organization that’s developing these apps is also responsible for the regime’s cyberwarfare against the United States.

“What the regime is doing is testing the success of these apps on the people of Iran first,” he said. “If not confronted, the next victims will be the people of other nations, and that’s why it’s so important to react and do something.”

Using a ‘fork’

One key entry point for the regime was a Persian-language “fork” — a locally designed variation — called Mobogram. Such unauthorized forks often are plagued with security “back doors” that can be hacked easily.

Telegram CEO Pavel Durov has warned about the security weaknesses of Mobogram, saying on Twitter in July that the app is “an outdated and potentially insecure fork of Telegram from Iran” and telling followers, “I don’t advise to use it.”

But Mr. Jafarzadeh said Thursday that such warnings are not enough and that Telegram should “deny licenses to those developers who are IRGC people.”

“The ordinary person in Iran doesn’t know any of these things,” Mr. Jafarzadeh said. “They don’t have the tools and can easily fall into this trap.”

He said the U.S. government should put more pressure on American companies such as Google and Apple to stop making apps tied to the IRGC available on their platforms.

Also this week, the U.S. intelligence community said in a global survey that Iran, along with Russia, China and North Korea, will “pose the greatest cyber threats to the United States during the next year.”

“We assess that Iran will continue working to penetrate U.S. and allied networks for espionage and to position itself for potential future cyber attacks,” said the “Worldwide Threat Assessment,” a survey that Director of National Intelligence Dan Coats delivered to Congress on Tuesday, The primary focus of Tehran’s cyberattacks, the report said, will not be the U.S. but regional adversaries such as Saudi Arabia and Israel.

The NCRI report said the wave of anti-regime demonstrations in cities across the country late last year and in early January “sent shock waves inside the regime.”

With some 48 million of Iran’s 80 million citizens estimated to own smartphones, the report said, “mobile devices and social messaging platforms played a significant role in helping the protesters to organize, exchange information between different locales, and get their message out to the rest of the world.”

“The protesters’ use of cyber technology proved to be the regime’s Achilles’ heel since it could not, despite a huge show of force, stop the expansion of protests,” the report said, forcing the regime to step up its domestic cyberwarfare efforts.

The NCRI argues that IRGC-led domestic cyberwarfare also represents a grave violation of Article 19 of the United Nations-backed Universal Declaration of Human Rights.

Iranian universities have become “a recruiting ground for IRGC cyberwarfare personnel,” the dissident group said, with recruits hired through front companies that “often engage in ‘research’ activities with a few of the IRGC’s ‘handpicked professors.’”

“These companies identify the needed talent for cyberwarfare,” said Thursday’s report, adding that “many of these recruits leave once they discover the companies’ links to the IRGC.”

The report suggested its claims were based on an information-gathering effort by members of the MEK inside Iran. Despite being a main component of the NCRI, the MEK has drawn scrutiny in Washington over the years because the State Department had listed it as a terrorist organization until 2012.

While the MEK is seen as virulently against the regime in Tehran, U.S. officials have said the group’s terrorist listing was related to attacks its members carried out against U.S. interests in the Middle East decades ago.