Iran Spies ‘Using Facebook To Snoop On US Government’

Iran cyber - Shutterstock - © Duc Dao

‘Newscaster’ operation seeks to dupe government personnel out of passwords, says cyber intelligence firm

Iran’s intelligence agents are using fake profiles on social networks in attempts to trick US government and military personnel to divulge passwords for their accounts, a security company has claimed.

The snoops are using more than a dozen fake personas on social networking sites, including Facebook, Twitter, LinkedIn, Google+, YouTube and Blogger, and are connected from those services to at least 2,000 targets, cyber intelligence firm iSight Partners said. They pretend to be journalists, government officials and defense contractors.

Iran StarsUK groups were targeted, as were senior US military and diplomatic personnel, as well as American journalists, think tanks, defence contractors, the company said, claiming the operation was “unprecedented in complexity, scale, and longevity”.

Iran ‘Newscaster’ operation

The “Newscaster” campaign, which also saw the spies create a fake news website newsonair.org, went undetected for three years, having kicked off in 2011. The Facebook account for the news site no longer exists, whilst the Twitter account has not posted a message since January.

“The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins,” iSight said, adding that the working hours of the group were in sync with those in Iran. It could not provide any definitive proof the hackers were from the country, however.

“These credible personas … connected, linked, followed, and ‘friended’ target victims, giving them access to information on location, activities, and relationships from updates and other common content.

“Accounts were then targeted with ‘spear-phishing’ messages.  Links which appeared to be legitimate asked recipients to log-in to false pages, thus capturing credential information. It is not clear at this time how many credentials the attack has captured to date.”

The spies were also using a strain of simple malware that was able to steal data, iSight said. The company suspected the campaign might have yielded some critical insight for the Iranians.

“Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the US military or the US alliance with Israel, or impart an advantage in negotiations between Iran and the US.”

iSight admitted it had “limited knowledge of Newscaster targeting” and could not be certain the Iranian government sponsored the operation. Corporate intermediaries and other third parties could be responsible, it suggested, noting the perpetrators “made many mistakes and were detected by potential victims”.

The Iranian embassy in London was not available for comment at the time of publication.

Why the focus on Iran?

Various reports have suggested Iran is growing its cyber capability. FireEye released research linking the Ajax Security Team hackers, who hit Iranian users of anti-censorship technology and US government entities, with Iran.

FireEye said it believed Iran was increasingly reaching out to hacker groups within the country.

Some security experts have questioned the motivations behind recent reports from US security companies related to Iran’s alleged cyber campaigns. “There are genuine threats and capabilities with some nation states but focus seems to be on certain players at different times. That with the ‘quality’ of some reports raises questions about motives of those involved,” said security consultant Brian Honan, speaking to TechWeekEurope over Twitter.

“Genuine threats or marketing opportunities?” he added.

What do you know about Internet security? Find out with our quiz!