Pierluigi Paganini May 30, 2014

Experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers use a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHT Partners.

A few days ago company FireEye published a report titled “Operation Saffron Rose” to document the activities of the Iranian hacking group named Ajax Security Team. a group of hackers specialized in cyber espionage. As explained by FireEye, the Iranian hacking groups are considered by US a very aggressive threat, they conducted numerous cyber attacks, sabotage and cyber espionage are their principal activities, groups like Ajax Security Team are responsible for different espionage campaigns on custom-built malicious software.

iSIGHT Partners revealed that Iranian hackers have used fake accounts in a cyber espionage campaign that is started at least four years ago. The hackers tried to infiltrate the network of contacts related to persons of interest with the purpose to spy on their targets.

“The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins.” states iSIGHT Partners.

The Iranian hackers have spent a great effort to make realistic the bogus identities they created to spy on the victims,  iSight said it was the most elaborate net-based spying campaign using social media it had ever seen.

“iSIGHT Partners believes Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign.  At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas.”

The stealth campaign has targeted US Navy admirals, politicians, ambassadors, think tanks, defense contractors, senior government and military figures from different countries, including the Afghanistan, Iraq, Israel, Saudi Arabia, Syria, UK.

The bogus identities used by Iranian hackers claim to work in government, journalism and defense contracting, the attackers exploit the network of accounts, managing mutual interactions and relationship with victims’ direct contacts. The attackers use a fictitious journalism website, newsonair.org, that reports news content from other legitimate media outlets.

The cyber espionage through social media platform is conducted articulating the activities of bogus identities that exactly as any other real person are linked to other accounts, promote “friendship” with target victims, stimulate discussions on topics of interest. The purpose is the profiling of victims to steal them sensitive information related their activities and relationships from updates and their social media experience.

The Iranian hackers targeted victims with spear-phishing messages which contain links to fake log-in pages used to harvest victim’s credentials.

The attackers used also malware for data exfiltration, but according to the analysts, the malicious codes used by Iranian hackers were not sophisticated. 

The hackers adopted a technique consolidated to spread malware via phishing attacks, avoiding detection, they initially spread links free of malware to the connections set up on social media, in a second step of the attack, when links passed security scan, the domains related to the links were seeded with malware.

Below the key findings of the report:

• Social media offers a powerful and covert pathway for targeting key government and industry leadership through a third-party platform potentially outside of existing security measures.
• Given targeting associated with this campaign, Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S.  Furthermore, it is possible that any access or knowledge could be used as reconnaissance-for-attack in advance of disruptive or destructive activity.
• Adversaries such as these are increasingly adept at finding and exploiting opportunities to carry out cyber espionage, even when lacking sophisticated capability.  NEWSCASTER’s success is largely due to its patience, brazen nature, and innovative use of multiple social media platforms.

It is not clear is the Iranian hackers are state-sponsored actors, if you are interested to understand how social media could be exploited in the military let me suggest you to read my post “Social Media use in the Military Sector“

iSight had already informed  many of the victims targeted by Iranian hackers and had alerted the law enforcement and intelligence agencies.

[adrotate banner=”9″]

(Security Affairs –  Iranian hackers, social media)