Feeds

Iran linked to al-Qaeda's web jihadi crew by old-school phone line

X.25 records reveal possible base for terror cheerleaders

SANS - Survey on application security programs

Updated New information has since come to light following the publication of this article, revealing the real identity of the leased line owner.

An organisation that attempts to recruit Westerners to carry out terrorist attacks on their home soil was backed by the Iranian state, according to an unlikely source of information: leased telephone line records.

Security researcher Michael Kemp found a list of the Middle East nation's leased lines that use the packet switching protocol X.25, and claims that it included a line allocated to Ansar Al-Mujahideen - a popular hangout for Islamic militants.

"In the course of doing some research on X.25 - the network that existed before there was the internet - I stumbled across a document detailing all the X.25 network user addresses for the country of Iran," Kemp told El Reg.

"In Iran all connections have to be approved by an organisation called DCI: the Data Communications Company of Iran.

"I found a network user address that appears, if the document is genuine, to pertain to Ansar Al-Mujahideen. Ansar Al-Mujahideen are lovely people who are very much supportive of Jihad as a concept, and have been linked to al-Qaeda. And they have a state-licensed leased line in Iran," the co-founder of UK-based Xiphos Research added.

Checking the validity of the paperwork by attempting to access the leased line would violate the UK's strict anti-hacking laws - specifically the Computer Misuse Act. Kemp said he was unable to rule out the possibility that the list was planted as some sort of disinformation campaign, but argues that the circumstances make this unlikely.

"It's not an 'internal' document but a result of some X.25 walking a student was doing a while ago - about four years ago - but X.25 data network identification codes (DNICs) and their network user addresses (NUAs) are pretty much fixed so that really doesn't matter," Kemp said. "There is nothing to prove the doc is legit, but if it is someone pissing around, they have spent a lot of time making the file appear genuine, and it should probably be treated accordingly."

The spreadsheet, compressed and scrambled using a passcode, is in Arabic and Farsi, and features about 2,800 records. The surprising entries are at lines 92 and 93 of the document:

X25 scene Khorasan Razavi 51,133,113 Ansar al-Mujahideen scene

Kemp called on a Farsi-speaking friend in Syria, as well as Google Translate, to make sense of the document. "Khorasan Razavi" refers to a province in north-east Iran, close to the Afghan border.

"It doesn't necessarily mean that Ansar Al-Mujahideen are using the line," Kemp said. "The reason why I suspect that they are, rather than a techie twatting about, is that all leased lines in Iran have to be approved by the Iranian government in conjunction with the Telecommunication Company of Iran (TCI), which runs the Iranian x.25 backbone. And I suspect a creative techie may get into a bit of bother with that naming convention - it's a bit more contentious than calling your file server Frodo.

"To the best of my knowledge, X.25 is still really widespread in Iran as unlike TCP/IP it's a shedload easier to control. Additionally according to numerous sources most of the network backbone is X.25, and the Iranians have yet to jump on TCP proper. This may have to do with state control than anything technical."

Kemp explained how he came across the document, which was put together by a security consultant of Arab extraction living in Sweden.

"I fell across the doc while researching X.25 connectivity," he said. "I did a talk on legacy tech at Grrcon and as X.25 is a lovely old and grizzled protocol, so I thought I'd cover that for the TCP/IP generation.

"X.25 is still used as a backbone for ATMs, and SMS bulk services, but Iran is a bit of a weird one from what I know. They never really made the jump to TCP proper and I think much of the ISP space over there is X.25 via XOT or similar. As to why Ansar would have a leased line, if it is them, my supposition would be that it's used to access the internet. Although that said, there could be bloody anything on there, and I have no great desire to breach the Computer Misuse Act and find out."

This legal restriction wouldn't hold back intelligence agencies, of course, and finding out the kind of traffic the line carried would not be particularly difficult.

"There're no passwords but X.25 doesn't work like that," Kemp explained. "Basically if you have a country's DNIC (as mandated by the lovely people at ITU) and the NUA, and access to a X.25 leased line or X.28 pad, you can dial up the number."

Iran and web jihadis - unlikely bedfellows?

Ansar Al-Mujahideen - which maintains a Hungarian-hosted website at ansar1.info - is a forum for jihad-related propaganda and recruitment. The group has posted links to videos showing "Islamic fighters in France" and its site features the pictures of prominent members of al-Qaeda, including its post-Osama leader Ayman al-Zawahiri.

A curious twist to this story is that al-Qaeda, which Ansar Al-Mujahideen is so closely linked to, is a radical Sunni Muslim movement - whereas Iran is overwhelmingly a Shi'ite nation. These two denominations of Islam are so strongly split on their beliefs that it has led to conflict and strife across the Middle East for centuries.

Ansar Al-Mujahideen is apparently trying to radicalise Westerners and persuade them to mount attacks at home as well as recruit them for action in Kashmir. An academic paper on the group and other e-jihadists can be found here.

If the evidence from the leased-line file is to be believed then Ansar Al-Mujahideen has some sort of base in Iran - there's no other good reason to have a government-allocated leased line.

Kemp, an expert in computer security rather than global politics or terrorism, is unsure what this might mean: "Why would they have an office in Iran, who knows? My speculation would be that it's a 'friendly' state thing, in as much as they probably get less hassle there than elsewhere. Direct Iranian involvement in terrorism, which is unequivocally technically provable, may be interesting."

The researcher is putting together a talk for the Deepsec conference in Vienna, Austria next month about the supposed threats posed by computer-armed terrorists. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.