About 300,000 Internet users in Iran have been spied on last month by one or several hackers who stole security certificates from a Dutch IT firm, a report presented by the Dutch government said on Monday.
Using a stolen certificate the hacker, or hackers, monitored people who visited Google.com, could steal their passwords and could obtain access to other services such as Facebook and Twitter, said Dutch IT firm Fox-IT, which wrote the report.
A certificate guarantees that a web surfer is securely connected but a stolen certificate enables a hacker to pretend a web surfer is securely connected to a website without the surfer knowing he is being monitored.
The report, which Dutch Interior Minister Henk Donner sent to the Dutch parliament, confirmed a statement last week from Google when it said that it had received reports of attacks on Google users and that the people affected were primarily located in Iran.
The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran, Fox-IT said.
Social media such as Twitter and YouTube were used during protests in Iran after presidential elections in 2009, and Iranian authorities have been trying to fight opposition on the Internet, said Afshin Ellian, who fled Iran in the 1980s and is professor at Leiden University's law faculty.
Tehran wants to be aware of oppositional activities inside and outside Iran. Using that information they can forcefully act against the opposition, Ellian said in his blog on the website of Dutch magazine Elsevier.
In April, there were signs Iran was helping Syria put down anti-government protests with advice on monitoring and blocking Internet use, a U.S. official said at the time.
Dutch minister Donner told reporters he had not been able confirm that the certificates, which were stolen from Dutch IT firm DigiNotar, were hacked by Iranian state authorities.
The only thing we have been able to establish is that the people who complained were in Iran, Donner said.
The Dutch government said on Sunday that Dutch state websites may no longer be safe following the DigiNotar attack and the cabinet was investigating whether its sites were hacked by Iran.
The hacker or hackers also fabricated certificates for a website of Israel's intelligence service, Mossad, the CIA and Britain's Secret Intelligence Service, MI6, and other sites such as AOL and Microsoft, Fox-IT said.
NO ANTIVIRUS PROTECTION PRESENT
The hacker or hackers left their fingerprint with the Persian words 'Janam Fadaye Rahbar', meaning 'I will sacrifice my soul for my leader' and identical to a message left when IT company Comodo was attacked in March, Fox-IT said in the report.
DigiNotar's network and procedures were not sufficiently secure to prevent the attack, Fox-IT said.
The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers, Fox-IT said.
The Dutch government was investigating who has been involved in hacking the Dutch firm DigiNotar and the company was held responsible for possible negligence, Donner said in a letter to parliament.
We are looking at the criminal and civil responsibility. The company and its U.S. mother company are cooperating, Donner said.
DigiNotar is owned by U.S.-listed IT firm VASCO Data Security International, which said in a statement earlier on Monday it did not expect the incident to have a significant impact on its future revenue or business plans.
(Reporting by Gilbert Kreijger; Editing by Michael Roddy)