According to Check Point Research (CPR), several hacker groups are assisting protestors in Iran using Telegram, Signal and other tools to bypass government censorship.

The observation came a day after anti-government protests began following the death of Mahsa Amini. Specifically, hacker groups are helping people communicate with each other and share news, as well as leaking and selling data, including officials’ phone numbers and emails, and maps of sensitive locations.

CPR has observed sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides.

Chris Vaughan, VP of Technical Account Management, EMEA and South Asia at Tanium, says, “The telecommunications sector in Iran is almost entirely state-owned, so it’s not surprising that anti-government groups like this are trying to use tools such as Telegram to avoid state censorship. These apps help people get unbiased information in and out of the country, so I expect that app stores may also be targeted in a bid to control communications. It’s likely that the Iranian government will also be blocking VPNs in order to restrict this information flow and disrupt protestors trying to communicate with each other.”

Michael DeBolt, Chief Intelligence Officer at Intel 471, explains that Intel 471 has also observed members of all the major hacking groups on Telegram sharing proxies and methods to bypass internet censorship. “One notable trend was uploading videos of protests and trying to collectively reveal the identity of soldiers and officers who were taking part in violent crackdowns against protestors. We observed [threat actors] posting such information. Many of the notable hacker group chats changed their name to “OpIran” and were used to share information on the protests. The most common cyberattacks observed were denial of service attacks,” DeBolt says.