Monday, September 5, 2011

Diginotar: Iranians – The Real Target

Via TrendLabs Malware Blog -

In this blog posting, we present concrete evidence that the recent compromise of Dutch Certification Authority Diginotar was used for spying on Iranian Internet users on a large scale.

We found that Internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by Diginotar. Even worse: we found evidence that some Iranians who used software designed to circumvent censorship and snooping on traffic were not protected against the massive man-in-the-middle attack.


On August 29 2011, the rogue SSL certificate issued by Diginotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks happened indeed on a large scale in Iran.


Attack Targeted Iranian Users

For domain, we see a very remarkable pattern in recent weeks: it was mostly loaded by Dutch and Iranian Internet users until August 30, 2011. Domain name is used by Internet browsers to check the authenticity of SSL certificates that are issued by Diginotar. Diginotar is a small Dutch Certification Authority with customers mainly in the Netherlands. We therefore expect that this domain name is requested by mostly Dutch Internet users and perhaps a handful of users from other countries. Not by a lots of Iranians.

From analysis of Smart Protection Network data, we see that a significant part of Internet users who loaded the SSL certificate verification URL of Diginotar were from Iran on August 28, 2011. On August 30, 2011 most traffic from Iran disappeared and on September 2, 2011 about all of the Iranian traffic was gone and Diginotar received mostly Dutch Internet users, as expected.

These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party. For example: a third party probably was able to read all e-mail communication an Iranian Internet user has sent with his Gmail account.

Closer analysis of our data revealed even more alarming facts: we have seen that outgoing proxy nodes in the US of anti-censorship software made in California were sending web rating requests for to the cloud servers of Trend Micro. Very likely this means that Iranian citizens, who were using this anti censorship software, were victims of the same man-in-the-middle attack. Their anti-censorship software should have protected them, but in reality their encrypted communications were probably snooped on by a third party.


cui bono?

Who has the most to gain from spying on everyday normal Iranians inside Iran?

The Iranian government would be the most likely answer.

No comments:

Post a Comment