Malicious Messages Flood Prayer App in Iran Amidst Israeli Strikes
Residents across Tehran and other Iranian cities were jolted awake by loud explosions in the early hours of Saturday morning, as Israel and the US launched joint attacks on Iran. The attacks, which the US and Israel are calling "preemptive strikes," come after a period of failed negotiations between the countries, and on the heels of mass protests in Iran earlier this year that saw the death of at least 3,117 civilians, according to government statistics.
Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded over 5 million times from the Google Play Store. The messages arrived in quick succession over a period of 30 minutes, starting with the phrase "Help has arrived" at 9:52 am Tehran time, shortly after the first set of explosions.
No party has claimed responsibility for the hacks. Screenshots shared with WIRED Middle East show messages urging Iranian military personnel to surrender their weapons with the promise of amnesty. They also urged army personnel to join "the forces of liberation" and to "defend your brothers." The push notifications are all titled "Help is on the way" and call on Iranian military members to surrender.
Cybersecurity analysts confirmed that BadeSabah users had received notifications around the time of the strikes, but have not been able to identify the source of the hack. "At this point, we genuinely do not know who is behind them, whether it was Israel or other anti-government Iranian groups," says Narges Keshavarznia, digital rights researcher at the Miaan Group, adding that no hacker group has claimed credit.
The compromise of assets likely happened some time ago, and these messages of 'help' were timed strategically, claims Morey Haber, the chief security adviser at BeyondTrust. "This is not a smash-and-grab style of attack. It is nation-state versus nation-state and is being executed with intent and precision." Iran on Saturday launched retaliatory kinetic attacks targeting key military bases across the Middle East.
As the war unfolds, the Iranian public has already faced internet blackouts and weeks of severely reduced connectivity. "The country has been experiencing a widespread internet disruption, and access to the internet has significantly decreased in several parts of the country, including Tehran," Keshavarznia says. According to internet monitoring tool NetBlocks, overall network traffic has dropped to 4 percent.
Data from ArvanCloud's Radar monitoring system, an Iranian-operated cloud service, indicates that many of the country's main data centers and domestic PoP sites have either lost connectivity to the international internet or are experiencing severe disruption, Keshavarznia pointed out. Communication networks are also down, with outages in phone lines and SMS services, and severe degradation of both mobile data and fixed broadband connections.
The push for surrender messages were part of a larger cyber operation that targeted several state-affiliated news agencies, including IRNA and ISNA, which were reportedly targeted by cyberattacks, and their websites were temporarily offline. While IRNA is back online, ISNA remains inaccessible at the time of publishing.
The internet and communications outages are familiar to Iranians who recently experienced long-term digital blackouts earlier this year during the mass protests that took place across Iran in January. As the internet goes offline in Iran, once again, those fears are resurfaced. "Many witnessed what it means when the internet goes dark, and there is no visibility, no documentation, and no outside attention," Keshavarznia says.
The loss of internet connectivity limits the ability for civilians to not just communicate, but also document events, seek help, or inform the outside world. The most urgent concern is not just the technical disruption itself, but the loss of visibility and accountability, she adds.
In conclusion, the malicious messages sent through BadeSaba Calendar are a stark reminder of the escalating cyber conflict in Iran. As the country struggles to cope with the aftermath of the Israeli strikes, it remains unclear who is behind the hack and what their ultimate goal may be.