The hackers who penetrated the Dutch firm DigiNotar in July are unknown. They stole electronic certificates that allowed them to enter google.com and read Google email traffic called gmail.
The Dutch government submitted an investigative report Monday to parliament that was conducted by Fox-IT, a Dutch technology firm.
It reported that the hackers left a Farsi slogan behind at DigiNotar—“Janam Fedaye Rahbar” or “My soul is sacrificed for the Leader,” a revolutionary slogan referring to sacrificing for Ayatollah Khomeini.
That slogan, however, does not prove the hackers were Iranians. Anyone could have left such a fingerprint and could have done so specifically to throw false blame on Iran.
Dutch Interior Minister Henk Donner told reporters the investigation he is leading has not yet been able to establish that the hackers who entered DigiNotar came from the Iranian state. But, he said, “The one thing we have been able to establish is that the people who complained were in Iran.”
Most gmail users would have no idea if their email was being read by someone other than the addressees. But Google Chrome, a relatively new software, alerts users when they are being spied on. That was what tipped off Google that someone had gotten access illegally to its email system. (See Iran Times of last week, page one.) The electronic certificate that allowed the hacker to read gmail has since been canceled.
Reuters reported that gmail has about 300,000 users in Iran. How many had their emails read is impossible to know.
Using the stolen certificate, the hacker monitored people who visited google.com, could steal their passwords and could obtain access to other services they used such as Facebook and Twitter, said Fox-IT in its report to the Dutch government.
“The list of domains and the fact that 99 percent of the users [who complained to Google] are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” Fox-IT said.
The hacker or hackers also fabricated certificates for a website of Israel’s intelligence service, Mossad, the CIA and Britain’s Secret Intelligence Service, MI6, and other sites such as AOL and Microsoft, Fox-IT said. That doesn’t mean the hacker could read CIA secrets, as the certificate only gave it access to the CIA’s public website. That access would have allowed the hacker to make alterations on the public website. But nothing appears to have been done in the weeks before the certificate was canceled.
The “Janam Fedaye Rahbar” slogan was also left in March on the computer of the IT company Comodo, from which access certificates were also stolen, Fox-IT said in the report. The Comodo intrusion and theft was discovered quickly and the certificates canceled within hours, unlike the case of DigiNotar. That intrusion occurred July 19. The intrusion was detected swiftly and some certificates canceled. But DigiNotar did not detect the theft of the google.com certificate and did not learn about that until late last month. So the hacker was able to use that certificate for about five weeks before it was canceled.
DigiNotar’s network and procedures were “not sufficiently secure” to prevent the attack, Fox-IT said. “The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers.”
The Dutch government is investigating who was involved in hacking DigiNotar and is holding the company responsible for possible negligence, Interior Minister Donner said in a letter to parliament.
“We are looking at the criminal and civil responsibility. The company and its US mother company are cooperating,” Donner said. DigiNotar is owned by US-listed IT firm VASCO Data Security International.