Iranian web users were the real target of the hack on Dutch certification authority (CA) DigiNotar, which resulted in over 500 fake certificates being issued, evidence has suggested.
The CA was hacked in July, leading hackers to produce a host of fraudulent SSL certificates for sites including Google.com and an MI6 website.
Trend Micro said it had "concrete evidence" suggesting the DigiNotar attack was used to spy on Iranian internet users "on a large scale."
"We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar," a blog post from Trend read.
"Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack."
What we think...
The use of attacks at both the CA and DNS levels shows the hackers were determined, or perhaps ISPs themselves were involved.
The involvement of an ISP was suggested by an Iranian web user the same one who discovered the fake Gmail certificate that kicked off this unsavoury saga in the first place. For Iranian citizens, the situation will only fuel their fury against the Government more.
Tom Brewster, Senior Staff Writer
Trend noted a spike in the number of Iranian users who loaded the SSL certificate verification URL of DigiNotar. As DigiNotar is a Dutch authority, most of its traffic normally comes from Dutch end users, so it is odd to see any noticeable Iranian traffic coming through.
"These aggregated statistics from the Trend Micro Smart Protection Network clearly shows that Iranian internet users were exposed to a large-scale man-in-the-middle attack wherein SSL-encrypted traffic can be decrypted by a third party," Trend Micro added.
"Because of this, a third party was probably able to read all of the email messages an Iranian internet user sent with his/her Gmail account."
The security firm even found evidence suggesting Iranians using anti-censorship software could still have had their internet usage watched over.
"Closer analysis of our data revealed even more alarming facts like outgoing proxy nodes in the US of anti-censorship software made in California were sending Web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro," the company added.
"This very likely means that Iranian citizens who were using this anti-censorship software were victimized by the same man-in-the-middle attack."
Meanwhile, Fox-IT, the security auditors brought in to investigate the DigiNotar hack, found that in the lookups on DigiNotar's OCSP servers, which browsers check to see if a certificate has been revoked, more than 99 per cent of queries originated from Iran during the "active attack period."
Fox-IT found almost 300,000 unique IP addresses from Iran attempted to gain access to Google services using rogue certificates from DigiNotar.
"This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian internet users," said Chester Wisniewski, Sophos senior security advisor, in a blog post.
"Many of the other requests not originating from Iran appear to have originated via Tor exit nodes or other proxies used by Iranians to avoid censorship. This indicates that the method used to perform the man-in-the-middle attacks with these certificates likely depended on DNS poisoning at the ISPs."
