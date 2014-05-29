BOSTON May 29 In an unprecedented, three-year
cyber espionage campaign, Iranian hackers created false social
networking accounts and a fake news website to spy on military
and political leaders in the United States, Israel and other
countries, a cyber intelligence firm said on Thursday.
ISight Partners, which uncovered the operation, said the
hackers' targets include a four-star U.S. Navy admiral, U.S.
lawmakers and ambassadors, members of the U.S.-Israeli lobby,
and personnel from Britain, Saudi Arabia, Syria, Iraq and
Afghanistan.
The firm declined to identify the victims and said it could
not say what data had been stolen by the hackers, who were
seeking credentials to access government and corporate networks,
as well as infect machines with malicious software.
"If it's been going on for so long, clearly they have had
success," iSight Executive Vice President Tiffany Jones told
Reuters. The privately held company is based in Dallas, Texas
and provides intelligence on cyber threats.
ISight dubbed the operation "Newscaster" because it said the
Iranian hackers created six "personas" who appeared to work for
a fake news site, NewsOnAir.org, which used content from the
Associated Press, BBC, Reuters and other media outlets. The
hackers created another eight personas who purported to work for
defense contractors and other organizations, iSight said.
The hackers set up false accounts on Facebook and other
online social networks for these 14 personas, populated their
profiles with fictitious personal content, and then tried to
befriend target victims, according to iSight.
The operation has been active since at least 2011, iSight
said, noting that it was the most elaborate cyber espionage
campaign using "social engineering" that has been uncovered to
date from any nation.
To build credibility, the hackers would approach high-value
targets by first establishing ties with the victims' friends,
classmates, colleagues, relatives and other connections over
social networks run by Facebook Inc, Google Inc
and its YouTube, LinkedIn Corp and Twitter Inc
.
The hackers would initially send the targets content that
was not malicious, such as links to news articles on
NewsOnAir.org, in a bid to establish trust. Then they would send
links that infected PCs with malicious software, or direct
targets to web portals that ask for network log-in credentials,
iSight said.
The hackers used the 14 personas to make connections with
more than 2,000 people, the firm said, adding that it believed
the group ultimately targeted several hundred individuals.
"This campaign is not loud. It is low and slow," said Jones.
"They want to be stealth. They want to be under the radar."
ISight said it had alerted some victims and social
networking sites as well as the U.S. Federal Bureau of
Investigation and overseas authorities. An FBI spokeswoman
declined to comment.
Facebook Inc spokesman Jay Nancarrow said his company
had discovered the hacking group while investigating suspicious
friend requests and other activity on its website.
"We removed all of the offending profiles we found to be
associated with the fake NewsOnAir organization and we have used
this case to further refine our systems that catch fake accounts
at various points of interaction on the site and block malware
from spreading," Nancarrow said.
LinkedIn spokesman Doug Madey said the site was
investigating the report, though none of the 14 fake profiles
uncovered by iSight were currently active.
Twitter declined to comment and Google could not immediately
be reached for comment.
POST-STUXNET ERA
ISight disclosed its findings as evidence emerges that
Iranian hacking groups are becoming increasingly aggressive.
Cybersecurity company FireEye Inc reported earlier
this month that a group known as the Ajax Security Team has
become the first Iranian hacking group to use custom-built
malicious software for espionage.
Iranian hackers stepped up their activity in the wake of the
Stuxnet attack on Tehran's nuclear program in 2010. The Stuxnet
computer virus is widely believed to have been launched by the
United States and Israel.
ISight said it could not ascertain whether the hackers were
tied to the government in Tehran, though it believed they were
supported by a nation state because of the complexity of the
operation.
The firm said NewsOnAir.org was registered in Tehran and
likely hosted by an Iranian provider. The Persian term
"Parastoo" was used as a password for malware associated with
the group, which appeared to work during business hours in
Tehran, according to iSight.
Among the 14 false personas were reporters for NewsOnAir,
including one with the same name as a Reuters journalist in
Washington; six employees who purportedly worked for defense
contractors; a systems administrator with the U.S. Navy; and an
accountant working for a payment processor.
A spokesman for Thomson Reuters Corp, which owns Reuters,
declined to comment.
(Reporting by Jim Finkle; Editing by Tiffany Wu)