SAN FRANCISCO — An elaborate, three-year cyberespionage campaign against United States military contractors, members of Congress, diplomats, lobbyists and Washington-based journalists has been linked to hackers in Iran.
The campaign compromised the computers of some 2,000 victims and went unnoticed since 2011, according to a report to be released Thursday by iSight Partners, a computer security firm in Dallas.
American intelligence officials have long said Iranian hackers are a serious threat, not for their technical skills, but because of the country’s vow to retaliate for Stuxnet, the computer virus created by the United States and Israel and unleashed on an Iranian nuclear site. But the skills of Iranian hackers were not believed to be on par with hackers in Russia and China.
The new report suggests that the Iranian skills gap may be closing.
“This marks the emergence of Iran on the cyberespionage landscape,” said John Hultquist, the head of cyberespionage intelligence at iSight Partners.
The report details elaborate attacks by a group that has been able to flourish, largely unnoticed.
The campaign, called “Newscaster” by iSight Partners researchers, employed “social engineering.” Hackers used a dozen fake personas and connected with victims over Facebook, LinkedIn, Twitter and YouTube. They sent their targets malicious links, which downloaded malware onto their machines, or directed them to fake login screens to steal the usernames and passwords.
Among the fake personas employed by the hackers were the names of real journalists. In one case, hackers purported to be Sandra Maler, a Reuters reporter. In others, they claimed to be employees at military contractors, a tax adviser and reporters for NewsOnAir.org, a fake news organization set up by the hackers. They tried to make the site look legitimate by copying and posting news articles and swapping out the real bylines with one of the fake names.
Hackers gave their personas Facebook pages, Twitter accounts, LinkedIn profiles and interacted with one another, even posting news about the death of a family dog. A hacker managing another persona also used social media platforms to publicize a personal blog about depression, aptly titled “My Loneliness.”
“The fact that this has gone largely unnoticed for three years suggests they’ve been very successful in this approach,” said Tiffany Jones, iSight Partners’ senior vice president.
Both Ms. Jones and Mr. Hultquist described the effort as the “most elaborate social engineering campaign” they had seen.
The iSight report did not say what types of data hackers were able to steal, but Ms. Jones said the list of targets, particularly military contractors, raised concerns that the hackers were after plans for military weapons systems.
There were many clues. The fake NewsOnAir.org website was registered in Tehran and sites that hackers used to deploy their malware were also hosted in Iran. The malware that the hackers used contained several Persian words. The time stamps of hackers’ activity tracked with professional working hours in Tehran. They even took the day off on Iranian weekends and holidays.
Another telltale sign, researchers said, was the content the hackers posted on their personas’ social media. In some cases, they posted Iranian jokes to their Facebook pages. One hacker used a Facebook page to ask followers, “What’s kind of sanction will lead to undermining the Iranian nation?”
ISight researchers said that because the attacks targeted victim’s personal profiles, much of the malicious activity occurred beyond the watch of their employers at defense contractors, lobbying firms, media outlets and Congress, allowing the attackers to operate undetected for so long.
“This is a particular threat that can’t be seen and operates outside the perimeter of the enterprise,” Ms. Jones said.
That kind of stealth hasn’t been seen in other attacks attributed to Iranian hackers, who in the past have been connected to blunt attacks meant to slow down or shut down banking sites.
Iranian hackers are also believed to have infected 30,000 computers belonging to Saudi Aramco, the world’s largest oil producer, replacing their contents with an image of a burning American flag.
And last year, American officials said Iranian hackers were behind a wave of attacks on several American oil, gas and electricity companies,that officials described as probes looking for ways to disrupt critical processing systems.
But the stealth of the Newscaster campaign, which continues, suggests Iranian hackers are not just set on business disruption, the researchers said. Now they are also aiming to steal intellectual property and military and trade secrets.
- How to avoid cyberspies on Facebook, LinkedIn (networkworld.com)
- Iranian hackers use fake Facebook accounts to spy on U.S., others (theiranproject.com)