On Thursday, Texas-based security firm ISight Partners said they had uncovered a multi-year operation by Iranians that used carefully-constructed fake identities on social networks to gain the trust of as many as 2,000 targets.
“What’s fascinating is the depth they went to [to] establish an identity,” ISight director of marketing/PR Steve Ward told VentureBeat. He said the cyber-spies were uncovered by his company through a combination of clues it encountered during its regular anti-cyberthreat work for Fortune 500 and government agencies.
The targets included a U.S. Navy Admiral, American diplomatic and congressional personnel, journalists, supporters of Israel, and the public and private sector in the U.K., Saudi Arabia, and Iraq, among others. On its website, ISight describes the operation as “unprecedented in complexity, scale, and longevity.”
Six identities were created in the operation — which ISight calls Newscaster — who supposedly worked for the news organization NewsOnAir.org, an apparently fake but still live site that incorporates news feeds from Reuters, BBC, and other services.
Ward pointed out that there is a legitimate NewsOnAir.com, an Indian news organization.
Another eight personas, who claimed to work for (faked) defense contractors and others, were also manufactured. One of the ways that ISight determined the attackers were Iranian was that the hackers’ apparent lunch break conformed to the Iranian workday, plus they took half of Thursday off and all of Friday, which is the Iranian weekend.
The Human Brain
“You can plug up seven layers of a network,” Ward told us, “but you can’t [completely] plug the 8th, the human brain.” And, Ward said, LinkedIn, Facebook and other social networks are perfect for creating a backstory that encourages trust.
“If I can see who’s in your network, I can build up believability,” he said. When the target is approached via a friend request or other communication referencing that network, Ward noted, the target’s response frequently is: ” ‘I don’t really remember him, but he’s connected with everyone I know.’ “
The operation, which ISight was able to trace back to 2011, involved Facebook, Google+, YouTube, LinkedIn, Blogger, and Twitter. First contacts with targets contained informative-seeming links, such as ones to NewsOneAir.org, which were eventually followed by links to sites that attempted to capture logons or by links that would install what Ward described as “pretty mundane malware.”
“We can’t say [the targets] lost military secrets like a joint fighter blueprint,” Ward told us, “but you’re looking at an extensive, multi-year campaign.” He declined to be more specific about what, if anything, the hackers took.
The company’s website reports:
“Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S. Furthermore, it is possible that any access or knowledge could be used as reconnaissance-for-attack in advance of disruptive or destructive activity.”
Are there more such Facebook malicious actors out there?
ISight said that “there may be additional victims that do not yet realize they are at risk.”
“This is the world we live in,” Ward said. “Cyber-espionage is real.”