The hacker group known as GhostSec has recently made headlines by disclosing the source code of various software packages that it claims are being used by the Iranian government for surveillance purposes. According to Telegram posts made by GhostSec, the group has analyzed approximately 26GB of compressed data and is releasing it in stages.
The source code is said to originate from the Iranian FANAP group, which is a provider of technology to financial services and the IT sector. However, GhostSec alleges that FANAP has expanded its offerings to include a comprehensive surveillance system used by the Iranian government to monitor its citizens. The features of this system are said to be similar to the Pegasus spyware developed by the NSO group and tools from Cellebrite.
The first messages about this breach were posted by GhostSec on August 27. At that time, the group announced that it had discovered facial recognition and other privacy-invading features and tools within the FANAP group’s software. Subsequently, GhostSec revealed the following components of the code: Behnama (video surveillance using facial recognition), Behyab (car GPS and tracking system), Behkhan (car license plate recognition system), and Behcard (facial recognition system for printing ID cards).
GhostSec specifically claims that the software was deployed across all branches of Iran’s Pasargad Bank, which is an investor in FANAP. The group’s findings suggest that the software is built on a microservice architecture and uses various technologies, such as Apache Kafka for real-time processing of video data, Redis and Postgres for storing metadata and analysis results, and functions for interacting with IP cameras.
Of particular concern is the Behnama software, which GhostSec describes as “a powerful instrument of surveillance” used by the Iranian government, law enforcement agencies, and military personnel. The group justifies its decision to expose FANAP by stating that it is in the best interests of the Iranian people and the protection of privacy.
When asked about their motives for the breach, GhostSec emphasized their commitment to human rights. The group was formed as a hacktivist and online vigilante operation, and it has previously targeted ISIS and supported Ukraine in its conflict with Russia.
According to a statement by a member of GhostSec on Telegram, the group gained access to FANAP’s infrastructure and compromised a server with Ha-Proxy that had a metric page accessible. This page provided insights into the backend connections, leading to the discovery and subsequent download of the source code. The member claims to have studied the files for two months before fully understanding their purpose.
In response to the exposure, FANAP issued a statement denying the claims made by GhostSec. The company stated that the leak reports were baseless and aimed at inciting public opinion. FANAP asserted that the attack was unsuccessful and only a portion of the software logs and Docker files were made available. Regarding the functionality of their products, FANAP stated that their software is strictly limited to recognizing faces that have been introduced to the device with the individual’s consent. They categorically denied using the software to identify citizens and described such claims as “pure lies.” FANAP maintained that the facial recognition feature was designed for internal use within the organization and not provided to outside entities.
In response to FANAP’s denial, GhostSec reiterated that it had indeed discovered extensive components of the code, which prompted the release of the software for download once its purpose was understood.
As this situation continues to unfold, it raises important questions about the role of surveillance technology in society and the potential for abuse. While governments argue that such tools are necessary for maintaining security, concerns about privacy and civil liberties persist. It remains to be seen how this disclosure will impact the Iranian government’s surveillance practices and whether any legal actions will be taken as a result of GhostSec’s actions.