Hacking

Iranian hackers behind most elaborate spying campaign on social media

Experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers use a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHT Partners.

A few days ago company FireEye published a report titled “Operation Saffron Rose” to document the activities of the Iranian hacking group named Ajax Security Team. a group of hackers specialized in cyber espionage. As explained by FireEye, the Iranian hacking groups are considered by US a very aggressive threat, they conducted numerous cyber attacks, sabotage and cyber espionage are their principal activities, groups like Ajax Security Team are responsible for different espionage campaigns on custom-built malicious software.

iSIGHT Partners revealed that Iranian hackers have used fake accounts in a cyber espionage campaign that is started at least four years ago. The hackers tried to infiltrate the network of contacts related to persons of interest with the purpose to spy on their targets.

“The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins.” states iSIGHT Partners.

The Iranian hackers have spent a great effort to make realistic the bogus identities they created to spy on the victims,  iSight said it was the most elaborate net-based spying campaign using social media it had ever seen.

iSIGHT Partners believes Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign.  At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas.”

The stealth campaign has targeted US Navy admirals, politicians, ambassadors, think tanks, defense contractors, senior government and military figures from different countries, including the Afghanistan, Iraq, Israel, Saudi Arabia, Syria, UK.

The bogus identities used by Iranian hackers claim to work in government, journalism and defense contracting, the attackers exploit the network of accounts, managing mutual interactions and relationship with victims’ direct contacts. The attackers use a fictitious journalism website, newsonair.org, that reports news content from other legitimate media outlets.

The cyber espionage through social media platform is conducted articulating the activities of bogus identities that exactly as any other real person are linked to other accounts, promote “friendship” with target victims, stimulate discussions on topics of interest. The purpose is the profiling of victims to steal them sensitive information related their activities and relationships from updates and their social media experience.

The Iranian hackers targeted victims with spear-phishing messages which contain links to fake log-in pages used to harvest victim’s credentials.

The attackers used also malware for data exfiltration, but according to the analysts, the malicious codes used by Iranian hackers were not sophisticated. 

The hackers adopted a technique consolidated to spread malware via phishing attacks, avoiding detection, they initially spread links free of malware to the connections set up on social media, in a second step of the attack, when links passed security scan, the domains related to the links were seeded with malware.

Below the key findings of the report:

  • Social media offers a powerful and covert pathway for targeting key government and industry leadership through a third-party platform potentially outside of existing security measures.
  • Given targeting associated with this campaign, Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S.  Furthermore, it is possible that any access or knowledge could be used as reconnaissance-for-attack in advance of disruptive or destructive activity.
  • Adversaries such as these are increasingly adept at finding and exploiting opportunities to carry out cyber espionage, even when lacking sophisticated capability.  NEWSCASTER’s success is largely due to its patience, brazen nature, and innovative use of multiple social media platforms.

It is not clear is the Iranian hackers are state-sponsored actors, if you are interested to understand how social media could be exploited in the military let me suggest you to read my post “Social Media use in the Military Sector

iSight had already informed  many of the victims targeted by Iranian hackers and had alerted the law enforcement and intelligence agencies.

[adrotate banner=”9″]

(Security Affairs –  Iranian hackers, social media)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.