An Iran-based hacking network used fake Facebook and other social media profiles to "befriend" and spy on US lawmakers and defence contractors in the US and Israel, among other targets, according to a new report.
According to the study, the hackers attempted to get "friendly" with US lawmakers, defence contractors and "at least one four-star general" using fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger).
Dallas-based cybersecurity intelligence firm iSight Partners reports that the ongoing campaign – which has seemingly stretched back over the past three years – is also targeting victims in the UK as well as Saudi Arabia and Iraq.
The social network engineering was used in a co-ordinated effort ultimately aimed at obtaining the log-in credentials to the email systems of their victims. The fake profiles claim to work in journalism (using a fake news outlet featuring plagiarised content called NewsOnAir.org to back up these claims), government, and defence contracting.
Journalist was the preferred mask used by the cyber-spies but they used various other disguises, said the report, including posing as recruiters for the defence industry and systems administrators for the US Navy.
Intended marks are befriended before being hit by spear-phishing scams ultimately aimed at extracting sensitive passwords. As many as 2,000 were targeted by cyber spies posing as journalists, according to the analysis by iSight partners.
iSight is unable to say how effective the Iranian network of cyber-spies has been. "It is reasonable to assume that a vast amount of social content was compromised in addition to some number of log-in credentials that can be used to access additional systems and information," it said.
Charles Tendell, founder of Azorian Cyber Security and a former US military intelligence officer, told El Reg that the mechanism of the attack was plausible enough to have ensnared at least a few victims.
"The proliferation of news organizations and sites worldwide lulled officials into a false sense of security that they were dealing with legitimate media," Tendell explained. "The ease with which one can create a front news organization and site is a perfect cover to launch cyber attacks, including gaining the trust of individuals so they'll unknowingly allow the hack. This includes clicking harmful links or opening damaging files that unleash the attack."
Facebook, Linkedin zap fake profiles
The details of the campaign are noteworthy but none of the individuals elements will come as much of a surprise to more attentive Reg readers or other with an interest in cyber-espionage. We already know that fake social media profiles are commonplace .
The report does not prove that the hacking crew was linked to the Iranian government.
The Iranian authorities, along with those in North Korea, are active in using social media for propaganda purposes while cracking down hard on its use by the general population - especially after the event of the Arab Spring three years ago where social media was used as an effective tool to mobilise protests in Egypt and beyond.
"#sockpuppets cyber personas Iranian use of Facebook not that elaborate and very commonplace," noted Treadstone 71, a private sector intelligence analyst, on Twitter.
Defence contractors and aerospace firms are a prime target for multiple intelligence agencies and assorted hackers around the world. Intelligence analysts generally rate Iran as a solid second-tier cyber power, alongside the likes of North Korea and Syria, but some way behind China and Russia.
“This attack is decently technical, but most of it is cleverness and time,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council in Washington, told Bloomberg.
Facebook and LinkedIn are well into the process of tracking down and deleting fake profiles (many of which featured the pictures of young, attractive women), the news agency adds.
US intelligence officials have previously apportioned blame for a wave of DDoS attacks against US banks in 2012 and 2103 to Iranian military. However no proof has ever been offered and those particular attacks might just as easily have been the work of angry hacktivists.
What's more credible are suggestions that Iran got serious about boosting its cyber capabilities since the Stuxnet worm sabotaged systems at a key nuclear enrichment facility. ®