Miaan Group has documented multiple attacks on civil society groups inside and outside of Iran, which constitute the largest and most coordinated impersonation and phishing campaign since the outbreak of the Mahsa Jina Amini movement last year.

This report is the result of research and documentation of over 100 attacks that targeted journalists, civil society activists, and rights defenders of ethnic and religious minorities domestically and abroad in 2023. The focus of this report is on examining trends instead of individual cases. However, some examples of the attacks are provided to illustrate the trends and methods.

The attackers, who are believed to be sponsored by the Iranian government, have been impersonating U.S.-based think tanks, such as the Atlantic Council, that have been vocal in supporting Jina’s movement and other pro-democracy causes in Iran. However, unlike the previous attacks that targeted mainly the think tanks themselves or their affiliates, the recent wave of attacks has expanded its scope and sophistication to target a wider and more diverse range of civil society actors, especially ethnic minorities, journalists, and human rights lawyers.

The attackers have been exploiting the lack of information and awareness among the target groups, as well as various crises in Iran, such as the mysterious suspected poisoning of hundreds of school girls earlier this year, to lure them into clicking on malicious links or opening infected attachments. The links and attachments are designed to harvest the targets’ account credentials and personal data, and to compromise their devices and networks.

The attacks pose a serious threat to the security and privacy of the target groups, as well as to the integrity and credibility of the information and communication channels that they rely on. The attacks also reveal the increasing capabilities and ambitions of the Iranian government in conducting cyber operations against its perceived enemies, both domestically and

Key Findings

1. The main target group of the attacks are individuals and organizations of ethnic minorities, such as Kurds and Turkish-Azerbaijanis. The attackers have been impersonating U.S.-based think tanks or NGOs that claim to support the rights and interests of these minorities, and offer them funding, training, or advocacy opportunities.
2. Journalists who are working on different angles of Jina’s movement, such as the legal, social, or cultural aspects, are also targeted by the attackers.
3. Independent artists, art galleries and art spaces who were supporters of the “Woman, Life, Freedom” movement were among victims.
4. Lawyers who are trying to form a council to support protesters, detainees, and their families, who have been affected by the brutal crackdown of the Iranian government on Jina’s movement and other dissenting voices, are also targeted by the attackers.
5. The attacks are not sophisticated on the technical side, as they rely on basic phishing techniques and tools, such as fake Google drive links or Microsoft Word documents. However, they are sophisticated on the social engineering side, as they use convincing and customized messages that appeal to the targets’ emotions, needs, or curiosity.
6. The attacks show that the Iranian government has improved its open-source intelligence (OSINT) operation, as it is able to research and collect information about its targets, such as their names, affiliations, interests, or activities, and use this information to craft more effective and persuasive social engineering attacks.
7. The attacks are using legitimate Google infrastructure such as Google Site to design a phishing attack.
8. Account owners mostly had two-step authentication. Phishing was designed in such a way that the victim was asked to enter a two-step authentication code.
9. Social engineering tactics mainly focused on threatening users to close their accounts for violating the terms of the platforms, receiving blue ticks on social media, and requesting interviews for research.

Read our full report here