Iranian hackers waged a sophisticated three year campaign on social media designed to snag the credentials of senior US military, diplomatic and congressional staff as well as victims in the UK and elsewhere, according to new intelligence.
The report from threat intelligence firm iSight Partners, claims the “Newscaster” campaign targeted at least 2,000 individuals.
The hackers, who may have been state-sponsored, typically registered credible but fake personas – including those of journalists – on various social sites including Facebook, LinkedIn, Twitter and Google+ before ‘friending’ or following their targets.
This gave them info - via their targets’ various updates and other common content - on “location, activities, and relationships”.
“Accounts were then targeted with ‘spear-phishing’ messages. Links which appeared to be legitimate asked recipients to log-in to false pages, thus capturing credential information. It is not clear at this time how many credentials the attack has captured to date,” iSight noted in a blog post.
“Additionally, this campaign is linked to malware. While the malware is not particularly sophisticated it includes capability that can be used for data exfiltration.”
Spear phishing of this kind is a typical first step in an APT or targeted attack campaign, so it is highly likely that these credentials were used to infiltrate the networks of various key institutions in the US, Israel, the UK, Iraq and elsewhere.
“This campaign, working undetected since 2011, targets senior US military and diplomatic personnel, congressional personnel, Washington DC area journalists, US think tanks, defense contractors in the US and Israel, as well as others who are vocal supporters of Israel to covertly obtain log-in credentials to the email systems of their victims,” iSight revealed.
“Additional victims in the UK as well as Saudi Arabia and Iraq were targeted.”
The firm added that the intelligence gleaned from these attacks could ultimately "support the development of weapon systems, provide insight into the disposition of the US military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the US, especially with regards to sanctions and proliferation issues”.
The hackers are thought to hail from Iran as the timing of the attacks conforms to working hours in the country, even down to the extended lunch break, the half day on Thursday and the lack of activity on Fridays.
Andrey Dulkin, senior director of cyber innovation at CyberArk, argued that the “pathway” used by the Iranian hackers is not much different from that seen recently with the eBay breach.
“Attackers search the perimeter for a way inside – usually through phishing or similar attacks. Through this foothold, they steal the credentials of an employee or official – transforming the attacker into a de facto insider,” he added.
“The scary thing, as demonstrated by eBay, is that they can use these same accounts to cover their tracks, which could be the reason why it was months before eBay knew what was going on. This is exactly what MI5 recently warned all British businesses about – that foreign spy organisations are targeting IT workers in hopes of gaining privileged access to sensitive computer systems.”