Social media central to Iranian espionage campaign: Report

Iranian hackers have used over a dozen fake personas on social networking sites in a coordinated, three-year espionage campaign to gain login credentials and other information from high-ranking officials in the US and other countries, according to cyber intelligence firm iSight Partners.

In a report published this week, iSight alleged that the campaign, dubbed 'Newscaster', has been working undetected since 2011, and has targeted senior US military and diplomatic personnel, Washington D.C. area journalists, US think tanks, defence contractors in the US and Israel, with additional victims in the UK, Saudi Arabia, and Iraq.

The company said the targeting, operational schedule, and infrastructure used in the campaign was "consistent with Iranian origins", and that it bore the hallmarks of a state-sponsored campaign. At least 2000 individuals have been targeted, according to the company.

"They [the hackers] maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day," said iSight in a statement. "These hours conform to work hours in Tehran. Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend."

While iSight said the network appeared to be primarily focused on targeting senior military and policymakers, firms associated with defence technology, and the US-Israel lobby, it also found victims in the financial and energy sectors.

iSight said it believed Iranian "threat actors" were using more than a dozen fake personas on social networking sites, including Facebook, Twitter, LinkedIn, Google+, YouTube, and Blogger.

The fake personas claim to work in journalism, government, and defence contracting. According to iSight, the hackers created credibility using, among other tactics, a fictitious journalism website, newsonair.org, that plagiarises news content from other legitimate media outlets. This should not be mistaken for the legitimate Indian news website, newsonair.com.

The personas then connected with, and 'friended' targeted victims, giving them access to information on location, activities, and relationships from updates and other common content.

Accounts were then targeted with spear-phishing messages. Links that appeared to be legitimate asked recipients to login to false pages, capturing credential information. It is not clear at this time how many credentials the attack has captured to date.

Additionally, the campaign is linked to malware. While the malware is not particularly sophisticated it includes capability that can be used for data exfiltration, according to iSight.

While iSight said it could not fully disclose what sort of data had been compromised or taken in the attacks, it was reasonable to assume that a vast amount of social content was compromised, along with a number of login credentials used for access to other systems and platforms.

"We infer, from our limited knowledge of Newscaster targeting, that such intelligence could ultimately support the development of weapon systems, provide insight into the disposition of the US military or the US alliance with Israel, or impart an advantage in negotiations between Iran and the US, especially with regards to sanctions and proliferation issues," said iSight.

"It is also possible that the compromise of such high-ranking and influential people could be used to access the senior levels of as-of-yet unidentified organisations in the US, Israel, and elsewhere."

iSight said that it had notified some of the victims of the campaign, along with the US Federal Bureau of Investigation and government agencies in other countries.

The report comes just over half a year after Iran's news agency alleged that Saudi Arabian and Israeli spy agencies were working together to develop a worm more powerful than the Stuxnet worm, which was used in 2010 to attack Tehran's nuclear program. It was widely believed to have been launched by the US and Israel.

Meanwhile, the Chinese government is viewing US-made and operated IT hardware and software within its national borders with growing suspicion in the wake of the US-Chinese cyber spying scandal, which was triggered by information in documents leaked by US whistle-blower, Edward Snowdon.