Threat Intelligence

Iranian spies bait U.S. officials in years-long social engineering scheme

Researchers have uncovered a three-year espionage campaign primarily targeting U.S. military officials, diplomatic and congressional staff, and defense contractors in the country and abroad.

On Wednesday, threat intelligence firm iSight Partners detailed the operation, dubbed “Newscaster" for the intricate social engineering scheme used in attacks. Attackers took on fake, social media personas, and even erected a phony news site, NewsOnAir.org, to gain the trust of their targets.

According to a 19-page report by iSight, hackers, believed to be based in Iran, used numerous networking sites, including Facebook, LinkedIn, Twitter and Google+, to connect with victims.

Once a connection was established with targets, attackers often went after victims' login details by sending them links to “credential collection sites,” which were designed to look like login pages for Yahoo, Google, our Outlook Web Access, the report said.

Researchers believe the network's primary goal was to collect insight on military or diplomatic affairs, as well as intel about defense organizations, for their sponsors' interests and advantage. In addition to collecting credentials, attackers also used the campaign, which dates back to 2011, to distribute malware capable of data exfiltration.

A number of factors led researchers to believe the attacks originated in Iran, including the fact that social networking posts were made during Tehran working hours. Furthermore, NewsOnAir.org was registered in Tehran, and IP addresses used in the attackers' infrastructure mainly hosted Iranian content, the report revealed.

John Hultquist, manager of cyber espionage and threat intelligence at iSight, told SCMagazine.com in a Thursday interview that the Newscaster campaign was the “most extensive social engineering scheme” the firm had seen to date.

Fake social media personas included “reporters,” who shared articles via the fictitious news site, NewsOnAir.org.

“For the most part, the news site was set up just to legitimize the [fake] accounts,” Hultquist said.

According to iSight's report, a supposed recruiter for a defense contractor and a systems administrator for the U.S. Navy, (who both accumulated more than 500 connections on various social networking sites), were also among the network of fake profiles leveraged in the years-long spy campaign.

The Newscaster operation primarily targeted individuals in the U.S. and Israel, but targets in the U.K, Saudi Arabia and Iraq were also of interest to attackers. While iSight said it was unclear how many credentials were ultimately stolen by the group, it determined that more than 2,000 people were connected to the network of fake accounts or personas.

“When it comes to the high-value targets, [attackers] went after numerous contacts of the targets to try to befriend them,” Hultquist said of the group's tactics. “It sort of snowballed in their favor as result, to the point where we actually saw people on LinkedIn endorsing these personas for their skills."

In a report released earlier this month, security firm FireEye said that Iran-based hacker groups are increasingly becoming more sophisticated in their attacks. 

The 20-page report highlighted the activities of the Iranian Ajax Security Team, which targeted defense industrial-based U.S. companies, as well as Iranian dissidents and those who used anti-censorship technology to circumvent Iran's internet filtering system. Over time, the hacker group moved from carrying out website defacements (dating back to 2010) to targeting groups, this year, with malware used for espionage purposes.

In his interview, Hultquist said that the Newscaster threat showcases Iran's aims to compete with elite hacking organizations.

“They are coming to the game a little late with less resources, and we are seeing activity that is less about technical sophistication, and more about creativity, brashness and social engineering,” Hultquist said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.