Iranian spies have carried out an intelligence gathering campaign since at least 2011 by targeting U.S. military, diplomats, D.C. journalists, and government emissaries, just to name a few, a via social media.
According to iSIGHT Partners, a cyber threat intelligence firm, attackers have long been able to glean log-in credentials and access “additional systems and information” via the operation. The firm released a report about the sophisticated cyberespionage campaign, nicknamed Newscaster, today.
The campaign has allegedly been able to siphon victims’ e-mail log-ins, network log-ins and a handful of other information that could be used further down the line for social engineering.
To coordinate their plan, the attackers reportedly developed a slew of fake online personas and masqueraded as reporters, defense contractors and politicians. The attackers cultivated these personas through Facebook, Twitter, LinkedIn, YouTube, Blogger and yes, even Google+, in order to convince their victims they were real.
Attackers also fleshed out personas via a bogus news site, Newsonair.org. The articles on the site were attributed to the fake journalists but they were really copied from Reuters and other legitimate sources. A number of the articles on the site refer to sensitive Iranian issues like the country’s nuclear deal, U.S.-Iran relations and sanctions being imposed on the nation.
Once they had befriended the well-connected leaders and convinced them they were real, the attackers took aim at their accounts with spear-phishing messages which captured log-in information. Some of the messages deployed data-exfiltration malware on their machines as well but the firm claims it was not overly sophisticated.
So far the attacks have tricked hundreds of figureheads from the U.S. public and private sector. The firm posits that around 2,000 targets are, or have been, embroiled in the campaign’s web since its inception.
The list of those duped includes senior U.S. military, diplomatic and congressional personnel, U.S. think tanks and defense contractors, along with lobbyists from both the U.S. and Israel. Further victims in the U.K. and Saudi Arabia were also targeted.
iSIGHT wasn’t able to specify exactly what kind of data may have been taken but claims that it’s “reasonable to assume that a vast amount of social content was compromised,” in the scheme.
The firm claims the collective’s targeting, operational schedule, and infrastructure is in line with that of Iranian attackers, possibly located in Tehran. Furthermore the attackers’ schedule coincides with the normal Iranian work schedule: Taking lengthy lunch breaks, a half day on Thursday and taking Friday off entirely.
This is the second major case of cyberespionage involving Iranians this year.
Earlier this month officials at FireEye warned that a hacking group, the Ajax Security Team, has been able to execute a number of exploits against U.S. defense contractors, something the security firm nicknamed Saffron Rose. This campaign, however, is not believed to be tied to the Ajax Security Team.
Like the attackers behind Newscaster, the Ajax Security Team used a combination of malware and social engineering to carry out its attacks.
Both stories complement the ongoing theory that Iran’s offensive hacking capabilities are continuing to develop following attacks against them like Flame and Stuxnet.