RaazNet

RaazNetBeta

KNOWLEDGE BASE
On This Page

Incident Response and System Recovery

A comprehensive guide on detecting security breaches, responding to malware infections and account compromises, and safely recovering systems within the Iranian threat landscape.

Time20 minutes

Incident Response and System Recovery

In the landscape of Iranian internet security, "incidents" can range from common phishing attacks to sophisticated state-sponsored spyware (like Pegasus or domestic equivalents) and physical device seizure by security forces.

This guide outlines a structured approach to Incident Response (IR): detecting a compromise, containing the damage, eradicating the threat, and recovering your digital life.

⚠️ Critical Warning for Iranian Users: If you suspect you are targeted by state-level actors (IRGC, Ministry of Intelligence), do not attempt to investigate complex malware alone. Your priority should be physical safety and disconnecting the device. "Playing detective" can alert the attacker, destroy evidence, or expose your contacts.

Phase 1: Detection and Indicators of Compromise (IoC)

Detecting a breach early can prevent data exfiltration. Indicators are divided into account anomalies and device behavior.

1. Account Security Indicators

Attackers often target accounts (Telegram, Instagram, Google) rather than the device itself, as this is cheaper and easier.

  • Unexpected Login Alerts: Notifications of logins from unrecognized devices, or locations (e.g., a login from Tehran when you are in Tabriz).
  • Active Sessions: Unknown devices listed in the "Devices" or "Active Sessions" menu of Telegram, WhatsApp, or Signal.
  • Missing or Read Messages: Messages marked as "read" that you did not open, or messages sent to your contacts that you did not write.
  • SMS 2FA Codes: Receiving Two-Factor Authentication (2FA) codes via SMS that you did not request. Note: In Iran, this often indicates an attempt by state actors to clone your session via SMS interception.

2. Device Behavior Indicators

  • Battery Drain & Overheating: Significant changes in battery life or the phone becoming hot while idle.
  • Reboots: The device restarting spontaneously (often used by malware to apply updates or persistence).
  • Anti-Virus Failure: Security software disabling itself or failing to run.
  • UI Glitches: Keyboard delays, apps crashing frequently, or strange icons appearing.

3. Hardware Indicators

  • Physical Tampering: If your device was confiscated and returned, check for signs of opening (scratches on screws) or slight changes in hardware weight/feel.

Phase 2: Immediate Containment

If you suspect an infection or compromise, stop the bleeding immediately.

1. Disconnect Everything

Cut the connection between the attacker and your device.

  • Enable Airplane Mode: Immediately.
  • Turn Off Wi-Fi and Bluetooth: Ensure they are disabled in settings, not just the control center.
  • Remove the SIM Card: Physically eject the SIM card. This prevents communication via cellular networks, which is the primary vector for tracking in Iran.
  • Unplug Ethernet: If using a wired connection.

2. Power Down (Context-Dependent)

  • Standard Malware: Shutting down the device stops the malware from running.
  • Advanced Mobile Spyware (Pegasus/Predator): Modern advanced spyware is often "non-persistent," meaning it lives in the RAM (memory). Rebooting the device may actually remove the active infection. However, if you need to preserve evidence for forensic analysis by an organization like Amnesty Tech, do not reboot—place the device in a Faraday bag (or a microwave/fridge to block signals) and keep it charged until you can contact experts.

Phase 3: Account Recovery

If your accounts are compromised, you must act quickly to revoke access. Do this from a clean, trusted device, not the infected one.

1. Kill Active Sessions

  • Telegram: Settings > Devices > Terminate All Other Sessions.
  • Google: Manage your Google Account > Security > Your Devices > Sign out of unrecognized sessions.
  • Twitter/X/Instagram: Settings > Security > Apps and Sessions > Revoke access.

2. Change Credentials

  • Change passwords immediately using a Password Manager.
  • Ensure the new password is strong (16+ characters, random mix).

3. Fortify Authentication (The SMS Problem)

  • Remove SMS 2FA: Iranian telecommunication providers (MCI, Irancell, Rightel) are obligated to intercept SMS for security services. SMS 2FA is not secure in Iran.
  • Enable Authenticator Apps: Use TOTP apps (Google Authenticator, Raivo, Aegis) or hardware keys (YubiKey).
  • Generate Backup Codes: Save these offline in case you lose access to your device.

Phase 4: Device Analysis (Forensics)

Note: For the average user, analysis is difficult. If you are high-risk, skip to "Phase 5: Eradication."

1. External Verification Tools (Mobile)

Public tools exist to scan for "Indicators of Compromise" (IoCs) associated with known spyware.

  • Mobile Verification Toolkit (MVT): Developed by Amnesty International. It scans iOS backups and Android systems for traces of Pegasus and Predator.
    • Limit: High technical skill required (Command Line Interface).
    • Limit: Only detects known threats. A "clean" scan does not guarantee safety.
  • iMazing (iOS): A user-friendly tool that wraps MVT's scanning engine. It can scan your iPhone for spyware indicators without needing coding knowledge.

2. File Analysis (Desktop)

  • VirusTotal: If you have a specific suspicious file (PDF, APK, EXE), upload it to VirusTotal.com. It scans the file against 70+ antivirus engines.
    • Warning: Do not upload documents containing sensitive personal info, as uploaded files are shared with security researchers.

3. On-Device Integrity (Android)

  • Auditor App: For users of GrapheneOS or supported stock Androids, the Auditor app uses hardware-backed attestation to verify the operating system hasn't been tampered with or downgraded.

Phase 5: Eradication and Restoration

Removing the threat is the priority. "Cleaning" a compromised system is rarely 100% effective; wiping is safer.

1. The "Nuke and Pave" Strategy (Recommended)

The only way to be sure a system is clean is to erase it completely.

  • Factory Reset: Go to Settings > System > Reset options > Erase all data (factory reset).
  • Reinstall OS (Computers): For Windows/Linux, format the hard drive completely and reinstall the OS from a trusted USB drive (created on a clean computer).
  • Destruction: If the device contained extremely sensitive data regarding dissidents or networks, physical destruction of the hard drive/storage chip is the only absolute guarantee against forensic recovery by state authorities.

2. Handling Backups

  • Danger of Re-infection: Do not restore a full system backup (e.g., "Time Machine" or full Android backup) onto a clean device. You might reinstall the malware.
  • Safe Recovery: Manually copy essential documents, photos, and videos. Scan them with antivirus before opening. Re-download apps from official stores (Google Play, F-Droid, App Store) rather than copying old APKs.

3. Specialized Tools

  • Rescue Disks: If you cannot boot a computer, use a "Rescue Disk" (like Kaspersky Rescue Disk or a Live Linux USB) to boot the system externally and scan/recover files.
  • Dangerzone: Use Dangerzone to sanitize recovered documents. It converts potentially infected PDFs/Docs into safe pixels and back to PDF, stripping all malicious code.

Phase 6: Post-Incident Hardening

Once you have recovered, strengthen your defenses to prevent recurrence.

  1. Update Everything: Ensure the OS and all apps are on the latest versions.
  2. Lockdown Modes:
    • iOS: Enable Lockdown Mode. It severely limits the attack surface (blocking web fonts, unknown call invitations) and is highly effective against NSO Group spyware.
    • Android: Use Advanced Protection (Android 16+) or switch to GrapheneOS for hardware-hardened security.
  3. Registration Lock: Enable "Registration Lock" in Signal and WhatsApp (PIN) to prevent SIM swappers from registering your number on a new device.
  4. Verification: Periodically check your "Linked Devices" on all platforms.

Emergency Resources

If you are a human rights defender, journalist, or activist facing an active emergency, external help is available.

Contact Security: When contacting these organizations, do not use the compromised device. Use a borrowed phone or a secure computer, and use Signal or encrypted email (PGP).

  • Access Now Digital Security Helpline:
    • Provides 24/7 assistance in multiple languages (including Farsi).
    • Website: accessnow.org/help
  • Amnesty International Security Lab:
  • Front Line Defenders:

Summary Checklist for Iran

  1. Disconnect: Airplane mode, remove SIM, turn off Wi-Fi.
  2. Isolate: Stop using the device for sensitive communication.
  3. Revoke: Use a clean device to kill active sessions on Telegram/Instagram/Google.
  4. Consult: If high-risk, contact Access Now before wiping.
  5. Wipe: Perform a factory reset if no forensic analysis is needed.
  6. Secure: Change all passwords and switch 2FA to Authenticator Apps (No SMS).
Source:
Edit

Was this article helpful?

Your feedback helps us improve our wiki content.