Iran linked to al-Qaeda's web jihadi crew by old-school phone line

X.25 records reveal possible base for terror cheerleaders

Choosing a cloud hosting partner with confidence

Updated New information has since come to light following the publication of this article, revealing the real identity of the leased line owner.

An organisation that attempts to recruit Westerners to carry out terrorist attacks on their home soil was backed by the Iranian state, according to an unlikely source of information: leased telephone line records.

Security researcher Michael Kemp found a list of the Middle East nation's leased lines that use the packet switching protocol X.25, and claims that it included a line allocated to Ansar Al-Mujahideen - a popular hangout for Islamic militants.

"In the course of doing some research on X.25 - the network that existed before there was the internet - I stumbled across a document detailing all the X.25 network user addresses for the country of Iran," Kemp told El Reg.

"In Iran all connections have to be approved by an organisation called DCI: the Data Communications Company of Iran.

"I found a network user address that appears, if the document is genuine, to pertain to Ansar Al-Mujahideen. Ansar Al-Mujahideen are lovely people who are very much supportive of Jihad as a concept, and have been linked to al-Qaeda. And they have a state-licensed leased line in Iran," the co-founder of UK-based Xiphos Research added.

Checking the validity of the paperwork by attempting to access the leased line would violate the UK's strict anti-hacking laws - specifically the Computer Misuse Act. Kemp said he was unable to rule out the possibility that the list was planted as some sort of disinformation campaign, but argues that the circumstances make this unlikely.

"It's not an 'internal' document but a result of some X.25 walking a student was doing a while ago - about four years ago - but X.25 data network identification codes (DNICs) and their network user addresses (NUAs) are pretty much fixed so that really doesn't matter," Kemp said. "There is nothing to prove the doc is legit, but if it is someone pissing around, they have spent a lot of time making the file appear genuine, and it should probably be treated accordingly."

The spreadsheet, compressed and scrambled using a passcode, is in Arabic and Farsi, and features about 2,800 records. The surprising entries are at lines 92 and 93 of the document:

X25 scene Khorasan Razavi 51,133,113 Ansar al-Mujahideen scene

Kemp called on a Farsi-speaking friend in Syria, as well as Google Translate, to make sense of the document. "Khorasan Razavi" refers to a province in north-east Iran, close to the Afghan border.

"It doesn't necessarily mean that Ansar Al-Mujahideen are using the line," Kemp said. "The reason why I suspect that they are, rather than a techie twatting about, is that all leased lines in Iran have to be approved by the Iranian government in conjunction with the Telecommunication Company of Iran (TCI), which runs the Iranian x.25 backbone. And I suspect a creative techie may get into a bit of bother with that naming convention - it's a bit more contentious than calling your file server Frodo.

"To the best of my knowledge, X.25 is still really widespread in Iran as unlike TCP/IP it's a shedload easier to control. Additionally according to numerous sources most of the network backbone is X.25, and the Iranians have yet to jump on TCP proper. This may have to do with state control than anything technical."

Kemp explained how he came across the document, which was put together by a security consultant of Arab extraction living in Sweden.

"I fell across the doc while researching X.25 connectivity," he said. "I did a talk on legacy tech at Grrcon and as X.25 is a lovely old and grizzled protocol, so I thought I'd cover that for the TCP/IP generation.

"X.25 is still used as a backbone for ATMs, and SMS bulk services, but Iran is a bit of a weird one from what I know. They never really made the jump to TCP proper and I think much of the ISP space over there is X.25 via XOT or similar. As to why Ansar would have a leased line, if it is them, my supposition would be that it's used to access the internet. Although that said, there could be bloody anything on there, and I have no great desire to breach the Computer Misuse Act and find out."

This legal restriction wouldn't hold back intelligence agencies, of course, and finding out the kind of traffic the line carried would not be particularly difficult.

"There're no passwords but X.25 doesn't work like that," Kemp explained. "Basically if you have a country's DNIC (as mandated by the lovely people at ITU) and the NUA, and access to a X.25 leased line or X.28 pad, you can dial up the number."

Iran and web jihadis - unlikely bedfellows?

Ansar Al-Mujahideen - which maintains a Hungarian-hosted website at ansar1.info - is a forum for jihad-related propaganda and recruitment. The group has posted links to videos showing "Islamic fighters in France" and its site features the pictures of prominent members of al-Qaeda, including its post-Osama leader Ayman al-Zawahiri.

A curious twist to this story is that al-Qaeda, which Ansar Al-Mujahideen is so closely linked to, is a radical Sunni Muslim movement - whereas Iran is overwhelmingly a Shi'ite nation. These two denominations of Islam are so strongly split on their beliefs that it has led to conflict and strife across the Middle East for centuries.

Ansar Al-Mujahideen is apparently trying to radicalise Westerners and persuade them to mount attacks at home as well as recruit them for action in Kashmir. An academic paper on the group and other e-jihadists can be found here.

If the evidence from the leased-line file is to be believed then Ansar Al-Mujahideen has some sort of base in Iran - there's no other good reason to have a government-allocated leased line.

Kemp, an expert in computer security rather than global politics or terrorism, is unsure what this might mean: "Why would they have an office in Iran, who knows? My speculation would be that it's a 'friendly' state thing, in as much as they probably get less hassle there than elsewhere. Direct Iranian involvement in terrorism, which is unequivocally technically provable, may be interesting."

The researcher is putting together a talk for the Deepsec conference in Vienna, Austria next month about the supposed threats posed by computer-armed terrorists. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.