Hackers, most likely in Iran, have been using fake profiles on Facebook, Twitter, and other social media networks to mine data from Israeli, American, and British corporations and government bodies. An American security group, iSIGHT Partners, on Thursday published details of the scam, describing how the hackers conducted “a coordinated, long-term cyber espionage campaign” to target more than 2,000 government and business officials.
It was an elaborate, well-organized version of a classic “spear phishing” campaign, in which users are either tricked into giving up personal information, like logins or passwords, or have their data hijacked by malware that gets onto their systems when they click on links, iSIGHT said. And while there’s no direct proof that Iran is behind the scam, the company said, there was plenty of circumstantial evidence — including the times of day when the hackers connected with their victims, connecting at odd hours and taking breaks that corresponded, among other things, with midday “siesta time” in Tehran.
The scam, called “Newscaster,” has been going on since at least 2011, iSIGHT said, with hackers building online personalities using detailed, believable personal profiles on social networks like Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger, and others. The profiles ostensibly belonged to journalists, defense contractors, and government officials, positioning themselves as strong supporters of Israel and connecting with victims who were also strong supporters of Israel.
At least 2,000 top-level politicians, diplomatic personnel, Congressional aides, journalists, and others were victims of the scam, said iSIGHT.
The hackers would send out links to news stories on a phony journalism site (a hotbed of plagiarism, iSIGHT said) called Newsonair.org. Once friended, victims of the scam would be sent spear-phishing messages, directing them to links where they would be asked to provide personal information or enter a login and password (on the theory that most people use the same login/password for multiple sites), which the hackers would use to break into victims’ email and other personal accounts.
In addition, the hackers would attach malware to the links, surreptitiously loading a victim’s system with spyware that would stealthily collect password information for accounts. The malware, said iSIGHT, was “not particularly sophisticated, but it includes capability that can be used for data exfiltration.”
While phishing scams go on all the time and are conducted by all manner of Internet criminals, the level of sophistication and organization indicates that the people behind the scam belonged to a large organization, and the type of victims targeted indicates that it was conducted by a government seeking to get information about defense systems, strategies, and policies. That the main targets were Israelis and supporters of Israel in the US and the UK — and that the topic of discussion was usually Israeli defense — makes it most likely that Iran is the culprit.
The scam, the company said, may have been Iran’s cyber-response to Stuxnet, in which Israeli hackers allegedly unleashed malware that significantly retarded the progress of Iran’s nuclear development program.
With that, iSIGHT said, “we can’t be certain” that it was Iran. “We have no information implicating the ultimate sponsor. In the past we’ve seen cyber espionage operations carried out by government organizations, corporate intermediaries, and other third parties.”
However, there was one damning piece of evidence linking Iran to the scam, said iSIGHT. The phony site the hackers used to disseminate poisoned links, Newsonair.org, was registered to a company located in Tehran.
In addition, iSIGHT said, the hackers made contact with their victims at “irregular” hours, such as late at night in Europe and the US, or very early in the morning, often sending out constant streams of messages — but taking a break in the middle.
“Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent,” the group said. “They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the workday. These hours conform to work hours in Tehran. Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend.”
It was mistakes like those, and others that iSIGHT did not elaborate on, that enabled the company to figure out what was going on.
“These actors did not go unnoticed by some targeted entities and they left significant evidence of their activity throughout the Internet,” said ISIGHT. “As with many other threats, iSIGHT Partners combined malware analysis, open source research, and research from our global collection network to create our assessment of the Newscaster network.”
It also isn’t clear what valuable information, if any, the hackers got.
“It remains possible that the actors could selectively reveal information gained through this campaign to embarrass those who were targeted, or already have, but we have seen no evidence of this at this time. Ultimately, we believe the sponsors of the activity are seeking information advantage over rival military forces, defense industries, diplomats, and others,” iSIGHT said.
As usual, said the company, the lesson for the Internet consumer is caveat emptor — let the buyer, or in this case the surfer, beware.
“Newscaster was a brazen, complex multi-year cyber-espionage that used a low-tech approach to avoid traditional security defense-exploiting social media and people who are often the ‘weakest link’ in the security chain,” said iSIGHT.
“Don’t be worried, but do be vigilant,” the firm advised. “Never provide login credentials with any site or person who contacts to you (rather than you contacting it), use strong passwords and regularly change them.”