BOSTON: In an unprecedented, three-year cyber espionage campaign, Iranian hackers created false social networking accounts and a bogus news website to spy on military and political leaders in the United States, Israel and other countries, a cyber intelligence firm said yesterday.
ISight Partners, which uncovered the operation, said the targets include a four-star US Navy admiral, US lawmakers and ambassadors, and personnel from Afghanistan, Britain, Iraq, Israel, Saudi Arabia and Syria.
The firm declined to identify victims and said it could not say what data had been stolen by the hackers, who were seeking credentials to access government and corporate networks, as well as intelligence on weapons systems and diplomatic negotiations.
“If it’s been going on for so long, clearly they have had success,” iSight Executive Vice President Tiffany Jones said. The privately held company is based in Dallas, Texas and provides intelligence on cyber threats.
ISight dubbed the operation “Newscaster” because it said the Iranian hackers created six “personas” who appeared to work for a fake news site, NewsOnAir.org, which used content from the Associated Press, BBC, Reuters and other media outlets. The hackers created another eight personas who purported to work for defence contractors and other organisations, iSight said.
The hackers set up false accounts on Facebook and other social networks for these 14 personas, populated profiles with fictitious personal content, and then tried to befriend targets, according to iSight.
The operation has been active since at least 2011, iSight said, noting that it was the most elaborate cyber espionage campaign using “social engineering” uncovered to date from any nation.
To build credibility, the hackers would approach high-value targets by first establishing ties with the victims’ friends, colleagues, relatives and other connections over social networks including Facebook Inc, Google Inc LinkedIn Corp and Twitter Inc.
The hackers would initially send the targets content that was not malicious, such as links to news articles on NewsOnAir.org, in a bid to establish trust. Then they would send links that infected PCs with malicious software, or direct targets to web portals that ask for network log-in credentials.
The hackers used the 14 personas to make connections with more than 2,000 people, the firm said, adding that it believed the group ultimately targeted several hundred individuals.
ISight said it had alerted some victims and social networking sites as well as the US Federal Bureau of Investigation and overseas authorities. An FBI spokeswoman declined to comment.
Facebook Inc spokesman Jay Nancarrow said his company had discovered the hacking group while investigating suspicious friend requests and other activity on its website.
“We removed all of the offending profiles we found to be associated with the fake NewsOnAir organisation and we have used this case to further refine our systems that catch fake accounts at various points of interaction on the site,” Nancarrow said.
LinkedIn spokesman Doug Madey said the site was investigating the report, though none of the fake profiles were active.
Twitter declined to comment and Google could not be reached for comment.
ISight said it could not ascertain whether the hackers were tied to the Tehran government, though it believed they were supported by a nation state because of the operation’s complexity.
The firm said NewsOnAir.org was registered in Tehran and likely hosted in Iran. The Persian term “Parastoo” was used as a password for malware associated with the group, which appeared to work during business hours in Tehran, according to iSight.
Among the 14 false personas were reporters for NewsOnAir, including one with the same name as a Reuters journalist in Washington; six employees who purportedly worked for defence contractors; a systems administrator with the US Navy; and an accountant working for a payment processor.