An Iranian hacking network is behind an elaborate three-year campaign to use social networks to strike up friendships with U.S. lawmakers, defense contractors and at least one four-star general, and then extract data from them, according to a new report.
Such an effort, if linked to Iran’s government, would indicate that Tehran is seeking to mount large-scale hacking efforts to rival those of the U.S. and China. Yet the recent and at times sloppy attempt, as outlined in a report released today by Dallas-based cybersecurity company iSight Partners, also provides a window on a cyberspying operation with lapses in sophistication but vast scope and a clever leveraging of victims’ exposure to social media.
According to iSight’s report, the espionage group created a fake news organization and a stable of fabricated journalists. Using those and other personas, the hackers attempted to interact with some 2,000 military, government and diplomatic officials over Facebook Inc. (FB) and other social-media sites with an aim of getting access to e-mail accounts and personal data, the report said.
The operation bore the hallmarks of an organization willing to devote resources and time to take over computers and e-mail accounts of targets, who were not only from the U.S. but also the U.K., Israel, Saudi Arabia and Iraq, the security researchers said. It also looked like the work of clock-punchers: The hackers took Tehran-time lunch breaks and went quiet from Thursday afternoon to Saturday morning, a schedule consistent with Iran’s work week, iSight said.
“Two years ago Iran made a promise to raise a team of cyberwarriors, and they are making good on that promise,” said Patrick McBride, iSight’s vice president for marketing. “This is unlike anything we’ve seen in terms of the lengths these guys have gone to create credible personas and get past the filters people have now.”
ISight said that while the efforts were routed through Iran-based computers, it wasn’t clear if the hackers worked directly for Iran’s government.
Hamid Babaei, a representative of Iran’s United Nations mission in New York, didn’t immediately return an e-mail seeking comment.
The U.S. Federal Bureau of Investigation is aware of the report and declined to comment, said Jenny Shearer, a spokeswoman.
In some ways, the hackers’ tactics and targets are similar to those used by China, the U.S. and other countries in extensive digital spying operations that have increasingly caused tension between governments. The issue exploded again this month when the U.S. indicted five Chinese military hackers on charges of breaking into networks of U.S. companies.
While U.S. intelligence experts have generally considered Iran a second-tier cyber power, alongside the likes of North Korea and Syria, the latest campaign helps confirm that forces in Tehran are intent on upping the country’s capacity for digital spying, security experts say.
The secretive regime in Tehran has sought to bolster its cyber capabilities since 2010, when some of Iran’s uranium processing capacity was destroyed by a cyber-attack attributed to the U.S. and Israel. Since then, Iranian media has carried reports of a directorate to oversee cyber activities, and a growing army of hackers dedicated to the Islamic Republic.
“This attack is decently technical, but most of it is cleverness and time,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council in Washington. “Iran believes they are facing dangerous attacks by Israel, dangerous attacks by the U.S., and they know they have to come up with some clever stuff.”
The alleged attacks serve as a reminder of social-media vulnerabilities. The hackers connected with friends of the intended targets, the investigators said, to gain trust. Then they would send videos or links to stories, embedding malicious software that allow the hackers to access e-mail and steal data.
ISight didn’t identify any of the alleged targets. It wasn’t certain how many people lost data or had accounts compromised, McBride said.
According to the report, the hackers created a website, NewsOnAir.org, filling it with news stories it attributed to its own journalists, who went by names including Sara McKibben and Adia Mitchell. The same names were found on Facebook pages and LinkedIn Corp. (LNKD) accounts that featured extensive postings. Young, attractive women were often shown in the profile photos, the report said.
The alleged journalists interacted with each other on social-media sites in a way that added to their legitimacy, it added.
Facebook deleted the suspicious profiles about a week ago, according to Jay Nancarrow, a spokesman, who said the company’s security team had discovered the profiles while investigating “suspicious” friend requests. LinkedIn is investigating the report’s claims, said Hani Durzy, a spokesman. None of the LinkedIn profiles cited in the report are now active, Durzy said.
The group also created personas designed to target U.S. defense contractors and senior military officials, including a job recruiter for the defense industry and a systems administrator for the U.S. Navy, the report said.
The faux-journalists would sometimes use stilted English. They lifted stories directly from large news organizations, putting the articles under the names of their alleged journalists -- sometimes using multiple spellings of the same reporter’s name, the report said.
U.S. intelligence officials have attributed a wave of attacks against the websites of American banks in 2012 and 2103 to Iranian military hackers. Iranian media reported last year that the chief of its unit dedicated to cyber warfare was found shot dead in the woods northwest of Tehran, a report that publicized both the unit and an air of intrigue surrounding it.
Private security firms have also tracked Iranian patriotic hackers, including a group of student hackers known as Cyber Warriors Team, which took credit for hacking National Aeronautics and Space Administration computers in 2012.
Although the campaign described by iSight stretches back to 2011, Iran is still a relative newcomer at cyber operations. The Chinese military unit to which the five indicted officers belong has been active since at least 2002, according to leaked classified U.S. diplomatic cables published by WikiLeaks.
That may be a challenge for countries trying to master digital spying now, because governments and companies have already begun to sharpen their defenses.
“As more people have bought security technologies, it’s become harder for sure,” said Jacob Olcott, a principal at Good Harbor Security Risk Management in Washington. “It doesn’t mean that major security incidents can’t happen, aren’t happening -- but you may be getting closer to stopping the easier stuff.”
To contact the reporter on this story: Michael Riley in Washington at firstname.lastname@example.org
To contact the editors responsible for this story: Sara Forden at email@example.com Jeffrey D Grocott, Elizabeth Wasserman