Iran linked to al-Qaeda's web jihadi crew by old-school phone line

X.25 records reveal possible base for terror cheerleaders

Top 5 reasons to deploy VMware with Tegile

Updated New information has since come to light following the publication of this article, revealing the real identity of the leased line owner.

An organisation that attempts to recruit Westerners to carry out terrorist attacks on their home soil was backed by the Iranian state, according to an unlikely source of information: leased telephone line records.

Security researcher Michael Kemp found a list of the Middle East nation's leased lines that use the packet switching protocol X.25, and claims that it included a line allocated to Ansar Al-Mujahideen - a popular hangout for Islamic militants.

"In the course of doing some research on X.25 - the network that existed before there was the internet - I stumbled across a document detailing all the X.25 network user addresses for the country of Iran," Kemp told El Reg.

"In Iran all connections have to be approved by an organisation called DCI: the Data Communications Company of Iran.

"I found a network user address that appears, if the document is genuine, to pertain to Ansar Al-Mujahideen. Ansar Al-Mujahideen are lovely people who are very much supportive of Jihad as a concept, and have been linked to al-Qaeda. And they have a state-licensed leased line in Iran," the co-founder of UK-based Xiphos Research added.

Checking the validity of the paperwork by attempting to access the leased line would violate the UK's strict anti-hacking laws - specifically the Computer Misuse Act. Kemp said he was unable to rule out the possibility that the list was planted as some sort of disinformation campaign, but argues that the circumstances make this unlikely.

"It's not an 'internal' document but a result of some X.25 walking a student was doing a while ago - about four years ago - but X.25 data network identification codes (DNICs) and their network user addresses (NUAs) are pretty much fixed so that really doesn't matter," Kemp said. "There is nothing to prove the doc is legit, but if it is someone pissing around, they have spent a lot of time making the file appear genuine, and it should probably be treated accordingly."

The spreadsheet, compressed and scrambled using a passcode, is in Arabic and Farsi, and features about 2,800 records. The surprising entries are at lines 92 and 93 of the document:

X25 scene Khorasan Razavi 51,133,113 Ansar al-Mujahideen scene

Kemp called on a Farsi-speaking friend in Syria, as well as Google Translate, to make sense of the document. "Khorasan Razavi" refers to a province in north-east Iran, close to the Afghan border.

"It doesn't necessarily mean that Ansar Al-Mujahideen are using the line," Kemp said. "The reason why I suspect that they are, rather than a techie twatting about, is that all leased lines in Iran have to be approved by the Iranian government in conjunction with the Telecommunication Company of Iran (TCI), which runs the Iranian x.25 backbone. And I suspect a creative techie may get into a bit of bother with that naming convention - it's a bit more contentious than calling your file server Frodo.

"To the best of my knowledge, X.25 is still really widespread in Iran as unlike TCP/IP it's a shedload easier to control. Additionally according to numerous sources most of the network backbone is X.25, and the Iranians have yet to jump on TCP proper. This may have to do with state control than anything technical."

Kemp explained how he came across the document, which was put together by a security consultant of Arab extraction living in Sweden.

"I fell across the doc while researching X.25 connectivity," he said. "I did a talk on legacy tech at Grrcon and as X.25 is a lovely old and grizzled protocol, so I thought I'd cover that for the TCP/IP generation.

"X.25 is still used as a backbone for ATMs, and SMS bulk services, but Iran is a bit of a weird one from what I know. They never really made the jump to TCP proper and I think much of the ISP space over there is X.25 via XOT or similar. As to why Ansar would have a leased line, if it is them, my supposition would be that it's used to access the internet. Although that said, there could be bloody anything on there, and I have no great desire to breach the Computer Misuse Act and find out."

This legal restriction wouldn't hold back intelligence agencies, of course, and finding out the kind of traffic the line carried would not be particularly difficult.

"There're no passwords but X.25 doesn't work like that," Kemp explained. "Basically if you have a country's DNIC (as mandated by the lovely people at ITU) and the NUA, and access to a X.25 leased line or X.28 pad, you can dial up the number."

Iran and web jihadis - unlikely bedfellows?

Ansar Al-Mujahideen - which maintains a Hungarian-hosted website at ansar1.info - is a forum for jihad-related propaganda and recruitment. The group has posted links to videos showing "Islamic fighters in France" and its site features the pictures of prominent members of al-Qaeda, including its post-Osama leader Ayman al-Zawahiri.

A curious twist to this story is that al-Qaeda, which Ansar Al-Mujahideen is so closely linked to, is a radical Sunni Muslim movement - whereas Iran is overwhelmingly a Shi'ite nation. These two denominations of Islam are so strongly split on their beliefs that it has led to conflict and strife across the Middle East for centuries.

Ansar Al-Mujahideen is apparently trying to radicalise Westerners and persuade them to mount attacks at home as well as recruit them for action in Kashmir. An academic paper on the group and other e-jihadists can be found here.

If the evidence from the leased-line file is to be believed then Ansar Al-Mujahideen has some sort of base in Iran - there's no other good reason to have a government-allocated leased line.

Kemp, an expert in computer security rather than global politics or terrorism, is unsure what this might mean: "Why would they have an office in Iran, who knows? My speculation would be that it's a 'friendly' state thing, in as much as they probably get less hassle there than elsewhere. Direct Iranian involvement in terrorism, which is unequivocally technically provable, may be interesting."

The researcher is putting together a talk for the Deepsec conference in Vienna, Austria next month about the supposed threats posed by computer-armed terrorists. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.