Source Code of Iranian Surveillance Tool Leaked

Hacker group GhostSec is disclosing the source code for software developed by the Iranian FANAP group, alleging it to be surveillance software used by the Iranian state on its own citizens.

The group claims to have cracked FANAP group's proprietary code, and has analyzed around 26GB of compressed data which it is releasing a file at a time, according to a series of Telegram posts. GhostSec has so far released various core components of the code, such as configuration files and API data.

The FANAP group is an Iranian provider of technology to financial services and the IT sector, but has apparently expanded its wares into a comprehensive surveillance system used by the Iranian government to monitor its citizens, according to GhostSec's findings — with features akin to the Pegasus spyware from the NSO group, or tools from Cellebrite.

What Software Has Been Disclosed?

The first messages were posted on August 27, with GhostSec saying it had discovered facial recognition "and various other privacy invading features and tools" within the FANAP group's software. These were later disclosed as:

In particular, GhostSec alleges that the software was deployed across all branches of Iran's Pasargad Bank, an investor in FANAP. 

Behnama in particular is not just a tool, but "a powerful instrument of surveillance" that is used by the Iranian government, law enforcement agencies, and military personnel, GhostSec said, noting that its intention of exposing FANAP is "in the interests of the Iranian people, but also in the interests of protecting the privacy of each and every one of us."

"It is built on microservice architecture, and contains Kafka from Apache that is likely used for real-time processing of video data from multiple sources; Redis and Postgres to store metadata or analysis results; functions to interact with IP cameras; and services for system monitoring," according to the findings.

Why Did GhostSec Do It?

GhostSec's official statement regarding its motives for the breach and subsequent exposure is in line with its aims for human rights, it said. The group formed in the last decade as a hacktivist and online vigilante operation, and has participated in operations against ISIS and supported Ukraine in the conflict with Russia.

In a message on Telegram, a GhostSec member said they were able to capture the source code by getting access to the FANAP infrastructure, then compromising a server with Ha-Proxy that had a metric page accessible.

"This page showed all the connections to the backend, and I tested them one by one until I came across one containing an open index: all the files were there," according to the post. "I then downloaded everything and studied the files for two months before I could really explain what it was."

What Did FANAP Say in Response?

In a statement published by GhostSec, FANAP denied the reports about the leak, and said the claims were made "without technical expertise and aimed at inciting public opinion." FANAP denied that the attack was successful, and said that only a part of the software logs and Docker files were made available.

On the product's functionality, FANAP said the software "only has the ability to recognize faces that have been introduced to the device with the person's presence and consent (similar to what is found in fingerprint registration in these devices)." It also said that the use by the product to recognize the identity of citizens as a "pure lie" and said the facial recognition feature was "designed for some needs within the organization and was not provided to organizations outside the FANAP group."

In response, GhostSec said that it has discovered extensive components, making the code available for download once it understood the purpose of the Behnama software.