In hindsight, outspoken Iranian writer Roya Hakakian was an ideal target for hackers—especially ones who seemed to support the regime in Tehran. What’s curious is why it took them so long to go after her.
The Tehran-born Hakakian has spent 30 years living in the United States, writing books and op-eds critical of the regime in her native country, and protesting the mullahs who rule there. She even helped found an organization that documents human rights abuses of Iranians—including gay, lesbian, bisexual, and transgender citizens. But Hakakian had never inspired the government’s ire quite like she may have last February.
That month, a Persian-language Website called Tavaana ran a glowing profile of Hakakian—literally glowing. In a lush photograph accompanying the piece, she actually appeared to be emanating light. The story recounted the highlights of Hakakian’s career, which includes a Guggenheim fellowship and two books. The most recent: 2011’s Assassins of the Turquoise Palace, about the notorious assassination of Iranian-Kurdish opposition leaders at a Greek restaurant in Berlin in 1992. Tavaana called Hakakian a “lady [who] deserves praise.” Though, she clarified sheepishly during a recent interview, the headline’s literal translation was a woman who “deserves worship.”
Someone—or some group—had a very different view of Hakakian. To them, the lady who deserves worship needed to be taken down a notch.
For the next two months, Hakakian experienced a campaign of cyber harassment and spying that shows the lengths to which determined intruders will go both to spy on their targets, and to intimidate them. While she found no definitive proof that Iran was to blame, the circumstantial evidence is overwhelming. Hakakian’s case provides an up-close look at the tradecraft of Iranian hackers, whom U.S. intelligence officials say are among the world’s best, and are only getting better and more brazen.
The campaign to silence her also fits with a broader strategy of Tehran silencing free speech within its borders. The government has imprisoned hundreds of political activists, human rights groups say. It continues to jail a Washington Post journalist on charges of espionage. In a recent interview with Charlie Rose, Iranain foreign minister Javad Zarif, his government’s chief negotiator on a pending agreement over the country’s nuclear program, laughably asserted that Iran doesn’t “jail people for their opinions.”
Over the course of two recent interviews with The Daily Beast, Hakakian said she was initially mystified as to why she’d be a target for the Iranian regime today. Hakakian resists the label of dissident and prefers to call herself a “secular intellectual” who’s mainly interested in writing poetry and eschews politics. “I’m a writer. My mission in life isn’t to change regimes,” she said.
But while her writing might not be aimed at revolution, it has surely irked the official powers in in Tehran. In addition to writing poetry, Hakakian has penned op-eds in the New York Times critical of the regime and has spoken on panels about anti-semitism. She proudly expresses her admiration for Western artists and thinkers, including Walt Whitman and Thomas Paine. She is the embodiment of the enlightened thinker than any theocratic dictatorship would consider a threat. But as long as she was writing in a language her countrymen couldn’t understand, that threat was mostly latent.
The common bond among all Hakakian’s outspoken work for the past decade is that she wrote it in English. Once Hakakian, and her writings, were published in Farsi by Tavaan, she seems to have tripped a wire that alerted the Iranian cyber hounds.
The Iranian regime “probably breathed a sigh of relief when I started writing English,” Hakakian said, because it cut her off to millions of potential readers inside Iran. Crossing that language barrier, though, changed the stakes.
The cyber campaign against Hakakian started with a seemingly friendly email, from a woman who claimed to know Hakakian and asked if she remembered all the fun they used to have together. Hakakian was mystified. She couldn’t remember such a person. Had never heard her name. She didn’t reply. But the messages kept coming. And they became hostile. The writer told Hakakian she knew she was a phony. She even accused her of Photoshopping the picture in the Tavaana profile, to make herself look prettier than she really is.
Hakakian dismissed the trolling emails. But on February 22, she received another alarming message. This time, it was an email purporting to come from “The Google Accounts team,” notifying her that “Someone recently used your password to try to sign-in to your Google Account.” The email, one of many that Hakakian shared with The Daily Beast, looks remarkably like alerts that Google sends its users when the settings on their accounts have been changed. But it is almost certainly not authentic.
There are some subtle differences between this message and a standard Google alert, but which would probably be opaque to most users. For starters, the message claimed that a “Hijacker” may have been trying to access Hakakian’s account. It provided an Internet address that it said resolved to “The Islamic Republic of Iran,” and then encouraged Hakakian to click on a link to reset her password.
It’s a classic spear phish, a personalized attempt to lure someone into divulging sensitive information, like an email password, by posing as a trusted source. Whomever sent the email went to significant lengths to make it look real, down to the multi-colored Google logo and a sign-off using the physical address of Google’s offices in Mountain View, California—just as real Google security alerts use.
The alert Hakakian received looks like a bespoke attempt to get her to divulge more information in an attempt to protect herself. And while there was no definitive proof it came from someone in Iran, whomever sent it to Hakakian played upon her fears that the regime might be targeting her.
There were red flags in the alert. The writer didn’t use standard English, capitalizing the H in “Hijacker” and the A in “Account.” And then there was the sender’s address, which came from the domain “support.qooqlemail.com.” You might have to look closely, but that’s “qooqle,” with two Qs. In the font the email used, the lowercase q and g are almost indistinguishable. And of course, why would Hakakian be scrutinizing the return address of an email that looked like a legitimate alert?
Spokespersons for Google wouldn’t comment on the email alert Hakakian received, saying that company policy prohibits them from discussing specific cases of possible hacking. But, they noted, when Google ordinarily advises an individual that their account may have been compromised by a state actor, a warning message is displayed across the top of their Gmail inbox, on what Google calls a “butter bar,” and not via email. Hakakian says she can’t remember ever receiving such a message, or whether she clicked on the one that claimed a hijacker in Iran was accessing her account.
“My first question was, what has changed? Why are they doing this now?” Hakakian said. “It is impossible I would warrant so much serious time and attention.” Hakakian says she’s a mere “speck” in the larger universe of Iranian exiles. She wakes up every morning and reads poetry for half an hour. Plotting to overthrow the ayatollah is not on her to-do list.
The notion that she should be targeted by Tehran when she lived so far away and felt so powerless seemed silly. But the more she considered her situation, she recognized a pattern of aggression from which she may have naively thought she was immune.
Hakakian had heard stories, while researching her book on the assassination, about Iranian intelligence officials harassing dissidents living abroad, usually with incessant phone calls in the middle of the night. But Hakakian wasn’t being harassed, exactly. It seemed she was being watched. And that the hackers tailing her might have wanted her to know they they were reading her private correspondence.
After receiving a few more purported Google alerts, including one that said someone in “The Iran” had tried to log into her account, and another claiming that her backup email address had been changed “illegally,” Hakakian noticed that the order of mail folders she’d set up to organize her messages was changing. As if someone had been rooting around in them but hadn’t put them back in their proper place. Hakakian didn’t find any evidence that emails had gone missing. Things were just shuffled around.
Hakakian paid a visit to the director of technology for the Wilson Center in Washington, DC, where she is a fellow, and showed him the Google alerts. He determined that they didn’t come from Google, but that someone was, in fact, accessing her account, apparently from outside the United States. He also downloaded a program to scan for implanted malicious software—it found three kinds.
The technology director was able to find two distinct Internet address from which at least one intruder was operating. Hakakian said she eventually found Internet addresses accessing her account from four countries—Iran, China, Russia, and Indonesia. That in and of itself isn’t proof that the Iranian regime was hacking her. Skilled hackers, in fact, will mask their real location by hopping through an Internet address in a different country.
But what now seemed beyond dispute was that someone was inside Hakakian’s account. They were able to examine her emails and move—and presumably open—her message folders. Given that the hacking only started after the profile appeared in Tavaana, the Iranian regime had both the motive and the opportunity to intrude into Hakakian’s digital space.
Hakakian said the hackers would have found mostly banal messages about life in Connecticut, where she lives with her family, as well as a lot of email about caring for her ill father. But it’s not just the content of emails that can provide valuable clues to spies. The U.S. National Security Agency, for instance, has for more than a decade maintained records of all landline calls in the United States because the so-called “metadata” of who calls whom, and how often, can potentially reveal more about a person’s social network than the content of those calls.
Whoever was tracking Hakakian probably wasn’t interested in what she was planning for dinner that night, but which other Iranian dissidents and headaches of the regime she knew, at least well enough to have them in her email contacts. And she knows several, whom she asked not to be identified so that they aren’t targeted.
What happened next strongly suggests that the hackers were, in fact, interested not just in harassing or intimidating Hakakian, but in spying on her friends and associates, as well. In early March, someone accessed her Facebook account and sent messages to many of Hakakian’s friends. The messages said she was sorry to have been out of touch, but that she’d been taking care of her father. And if her friends would open the attached document, they’d find a lengthier explanation by Hakakian of all that she’d been going through lately. Hakakian not only didn’t write these words, she never sent a blast message to her friends about her dad.
The document probably contained malicious software code that would have implanted a virus or spyware on the recipient’s computer. (This, too, is a common hacker tactic, and another example of spear phishing.) Hakakian showed me one message that was sent to a prominent journalist working in Washington. She said that others received the same message.
Hakakian received email alerts that also purported to be from Facebook, claiming that her password had been reset by someone using a computer in Chicago, and then again by someone on a machine in Far Rockaway, New York. She said she was not in either city at the time. And it’s not clear if these were legitimate emails. (Representatives at Facebook didn’t respond to a request for comment.)
And Hakakian received other strange messages, including emails reminding her to check in for a conference at a university in Israel hosting a conference on Iran. She’d never heard of the conference, and when she wrote back asking what it was about, she did get a reply—but on her iPhone, via text message.
That may have been the first sign that something even more serious than a Gmail or Facebook hack was happening. Whomever was targeting Hakakian appeared to know her phone number, as well. She thinks that the intruders may have actually hacked the phone and used that to gather contact information about people close to her.
That would be a more serious breach. Vulnerabilities in smartphone operating systems that can give a hacker access to the device are generally harder to find on the black market than vulnerabilities in operating systems for personal computers. Though smartphones have their own weaknesses—insecure apps that leak data and operating systems that might not have the latest security patches—if someone did hack Hakakian’s iPhone, he may have had to pay a lot for the information, if he didn’t find the vulnerability himself. That would suggest the hacker may have been working for a nation state with deep pockets or a lot of cyber hacking expertise.
The Iranian government has accelerated its efforts to build cyber spying and cyber warfare programs, so much so that U.S. intelligence officials now say that Iran poses one of the most significant threats to American national security in cyberspace.
Hakakian and the technology director at the Wilson Center found no evidence that the phone had been compromised. But she took it to an Apple store in Washington, DC, and asked technicians there to rebuild it. They did, and once the phone was effectively wiped clean, she never had any more problems.
Before she rebuilt her phone, however, Hakakian had to contend with another form of harassment that sounded terribly familiar. Like the dissidents she’d interviewed for her book, she too started getting phone calls in the middle of the night. They came every ten to fifteen minutes, Hakakian said, and always from a Skype number in Los Angeles. She said she only answered once, and that the caller sounded drunk, his voice scratchy. “I want to interview you,” he said in Iranian-accented English. Hakakian hung up.
The calls kept coming, even after she blocked each Skype number. She presumes they were automatically generated, and can’t be sure if the callers were in Los Angeles or not. But the harassment fit the pattern of what others had described. A relentless campaign of intimidation with no clear end, other than, it seemed to Hakakian, “to make me miserable.” Hakakian said she felt she had two choices: either to remain silent or to call out her aggressors publicly. She went with the latter, knowing that it might only embolden them.
Hakakian said she reported all the cyber harassment, including the breach of her Google and Facebook accounts, to the FBI. But now the hackers have stopped. Hakakian took some basic steps to increase the security on her personal accounts, including the use of two-step authentication, which requires the user to input a code that only she knows when logging into an account and that expires after one use. Perhaps they were finally locked out or just felt they’d made their point. She doesn’t know.
As upsetting as the cyber harassment was, it wasn’t Hakakian’s first run-in with a hostile Iranian regime. She says that while working as a producer for 60 Minutes in the late 1990s, she was denied a visa to travel to Iran for a story. Tehran accused her of being a “Zionist spy” and refused to let her back into the country.
Hakakian suspects that by targeting her, the hackers may also have wanted to send a message to other exiled writers and activists that they dare not publish their works in Farsi or contribute to sites like Tavaana.
“I think this wasn’t about espionage,” she said. “I think they really want to say to someone like me, that even though we speak Persian, you’re not one of us. Don’t come back.”
“When we start to cross back again,” she continued, “that is entirely unwelcome by the regime.”
While she doesn’t call herself a dissident, Hakakian says she’s certainly an exile. “I can’t go back. Not that I’d want to.” But other Iranians living in the United States, she says, are allowed to return to visit family or celebrate holidays, so long as they adhere to an unspoken bargain—say nothing unflattering about the regime that might resonate back home.
Hakakian put herself on Tehran’s blacklist long before she got hacked. But in singling her out now, the regime’s hackers seemed to say that there are lines Iranians in exile must never cross. Now that Iran has become an aggressive, sophisticated force in cyberspace, those who would dare speak out in their native tongue will have to contend with a level of harassment unlike any they’ve ever experienced.