Uncategorized

The Danger of Migrating from an International to a National Domain

Every day, more companies are joining the sanctions club by restricting access to their services and products to end-users in Iran. These sanctions were supposed to target the government of Iran but day after day it’s turned into a direct weapon against Iranian citizens who, uninvolved in politics, are being punished because of their nationality.

In the latest movement, US sanction hit the Iranian regime’s tech and media industry on January 25th 2020. Fars News Agency’s website, the state-run propaganda machine of the Revolutionary Guard, has been officially prevented from using the .com top level domain as a result of U.S. Treasury Department sanctions.

Fars News Agency publishes news in Persian, English, Arabic and Turkish so the loss of the .com domain will deprive it of the audience it has outside Iran.

Fars says US sanction have knocked it off the internet and rendered it inaccessible. Fars added it had received an email from the server company informing it that the blocking was due to an order by the Treasury’s Office of Foreign Assets Control (OFAC).

Like most other websites Fars has alternative domain names, such as farsnews.ir. An official admitted that the Telecommunications Infrastructures Company had restored the domain to Fars by using DNS spoofing, or hacking in simple terms. Using this, they are redirecting traffic to an .ir domain. This done the usage of DNS cache poisoning, with Iran starting to redirect the traffic of Farsnews.com to Fars news.ir at the infrastructure level for viewers of the website inside Iran. As a result, for almost a day Farsnews.com visitors would see a message saying the IP address could not be found.

Digital security experts and hacker hunters say this is the first time in Iran’s internet history that the regime has admitted DNS spoofing. Moreover, according to FireEye, this DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors associated with APT33 activity.

DNS Spoofing is a method used by hackers to redirect the traffic of a particular website to another destination. Currently, anyone inside Iran who tries to access Farsnews.com is automatically redirected to farsnews.ir, a national domain which can avoid U.S. sanctions. Although outside Iran, Farsnews.com cannot be reached unless Farsnews.ir was visited before and the IP address still exists in the browsing history of the device used to access the site. Visitors inside Iran now have access to the website of Fars News Agency but losing the .com domain means the News Agency will lose its visibility in Search Engines and all the links to its website, at least for visitors from outside Iran.

Needless to say, this isn’t the first time that domain registrars and hosting providers put restriction like this toward their Iranian clients. In the past years, companies like OnlineNIC, GoDaddy, DreamHost, ASPNix and many others terminated Iranian accounts with or without prior notices that caused in financial damages and they never responded properly on this matter. It is important to emphasize that again, almost all of these technology sanctions do not affect the government of Iran, instead just directly targeting individuals and private businesses in Iran (except those which are registered in Europe). The result of this may well mean the Iranian economy and industry would need to function in isolation from the rest of the planet.

The directors of the Telecommunications Infrastructures Company owned by the Telecommunication Ministry advised Iranian website owners that are facing the same problem to use domain names with the national .ir top level domain, resolving the issue by relying on the infrastructure that exists within the National Information Network (NIN). NIN is an intranet and it relies on the Internet to function. It is the tool that the regime is planning to use to even more tightly control their censorship of the internet. As a result, it provides access only to selected content and bars VPNs from being used for accessing the sites that the Iranian authorities have blocked. This censorship strategy is already working out plans with state institutions to permit them to have access to the global internet while blocking access for ordinary Iranians, who would be directed to a tightly monitored domestic internet network.

This could be a sign of something even darker to come such as a massive internet blackout during any during nationwide anti-government protests to cover up violence by security forces.

The bigger picture means that tech-related sanctions help The Islamic Revolutionary Guard Corps to use the extreme measures the regime’s elite are willing to take to cling to power. As a case in point, beginning on November 17, 2019, in response to the 2019 Iranian fuel protests, an internet shutdown reduced internet traffic in the country to 5% of normal levels. The internet operation effectively cut the country off from the rest of the world, constraining the ability of friends and family members to communicate with each other, and prevented commerce from taking place.
Considering Iran is one of the countries which is most strongly identified with internet censorship, the question will be raised: Is the US strategy helping Iranian people or helping the Iranian regime to gain more power?

This is a cold war against Iran which not only target the Iranian government but also the Iranian people. This is a gradual but surely expanding strategy that will cause serious problems for the Iranian people.

Bibliography:
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
https://arstechnica.com/information-technology/2019/06/iranian-state-hackers-reload-their-domains-release-off-the-shelf-rat-malware/
https://en.radiofarda.com/a/iranian-news-agency-targeted-by-us-sanction-resorts-to-hacking-to-get-domain-back-/30396680.html