A group of hackers in Iran are believed to have used fake social media profiles, and a bogus news website, to carry out cyber espionage attacks targeting at least 2,000 people. This is thought to include senior US military and diplomatic personnel, journalists, and both Israeli and US defense contractors.
In a report released Thursday, the security consultancy firm iSight Partners revealed findings indicating that a group consistent with Iranian origins has carried out a campaign since 2011. This series of undetected attacks to gather the email login details of targeted victims is known as Newscaster.
Here’s how Newscaster works. The hackers create a network of fake profiles on sites such as Facebook, Twitter, and LinkedIn. Next, they connect with friends of the individuals they are planning to target. Once mutual friends are gathered, the hackers connect with the targets themselves, which grants them access to personal information.
After getting connected, the attackers send links to web content, but first the user is taken to a fake login portal for websites such as Gmail. These false messages, also known as “spear-phishing,” are used to obtain password and other login details from the unsuspecting victims.
Many of the phony personas were quite extensive and often relied on a fake news site created solely for this campaign. The site, newsonair.org, published plagiarized news articles from international media outlets like Reuters and the BBC. Newsonair tweeted out the links and the false user profiles did the same across the social media landscape.
“What stood out was the brazen nature of it, relatively it’s not that technologically advanced in terms of malware, but there’s a lot of complexity involved in what they did,” Steve Ward, iSight's senior marketing director, told VICE News.
iSight came to the conclusion that the attacks were coming from Iran based on the skill sets used, the people targeted, and the timing of activity. The hackers took breaks during Iran’s lunchtime, stopped early on Thursdays and didn’t work on Fridays — in line with weekends in the country. Ward said another tip-off was that the IP address of the fake news organization was registered in Tehran.
'Iranian groups want to be able to say they were able to attack a US target, therefore showing Iran is strong and capable of doing things like this.'
“It’s not surprising they had the ambition to do it, but it’s surprising when you think about the capabilities because this is a really complex campaign they organized. What they did is a lengthy, costly process of espionage,” Ward said
While the US government has concentrated its cyber-security efforts on attacks coming out of China, experts have also begun to focus on the growing threat from Iran.
Earlier this month, cybersecurity company FireEye Inc. highlighted an organization called the Ajax Security Team — Iran’s first hacking group using malware to initiate politically minded espionage campaigns. Ajax is thought to have carried out attacks against US defense companies.
Experts say Iran has increased its cyber attacks on foreign entities since the Stuxnet attack in 2010 — a malware attack allegedly launched by the US to spy on Tehran’s nuclear program.
Steve Stone, a cyber-threat intelligence analyst at FireEye, told VICE News his team is currently tracking six Iranian hacking groups — compared to 22 in China — where the government attention on cyber attacks is relatively new. Stone said the groups they're seeing began popping up in 2012.
“It’s part of that changing landscape in Iran, the Iranian government and people have now had a number of flagship cyber moments,” he said, referring to the unprecedented social media use during the 2009 elections and the Stuxnet virus that attacked Iran's Natanz nuclear facility in 2010.
'We are fighting against our adversaries with approaches that worked 15 years ago at the dawn of the internet.'
According to Stone, Newscaster falls in line with typical Iranian foreign policy, which is now transcending into the country's cyber policy.
“Iranian groups want to be able to say they were able to attack a US target, therefore showing Iran is strong and capable of doing things like this,” Stone told VICE News.
He calls Iran the “new kids on the block” in the realm of cyber espionage, implying that it isn’t as sophisticated as its rivals. But Stone says that Iran doesn’t necessarily need to be that technologically advanced considering its goals.
“It speaks to their strengths, they’re not trying to steal large amounts of intellectual property, they don’t need as much of a skill set to go after government officials on Facebook,” Stone said.
The success of a program like Newscaster also shows a lack of preparation for cyber threats by the US government.
“I think it’s fair to say that others are going to catch up in this realm and we’re behind the curve from the defensive perspective,” Ward said. “We are fighting against our adversaries with approaches that worked 15 years ago at the dawn of the internet.”
Ward added that the US needs to develop better security practices and come to terms with the need to innovate. He noted that based on the success of Newscaster better protection for personnel is clearly necessary.
“It’s gonna get pretty crowded in this space in these next 10 years,” Ward said. “We just gotta wake the hell up and recognize what the hell we’re dealing with and realize we’re losing.”
Follow Kayla Ruble on Twitter: @RubleKB