Iran hackers set up fake news site, personas to steal U.S. secrets

A team of Iranian hackers operated a fake news website and cultivated more than a dozen online personas – complete with family photos, mundane status updates, and personal blogs – in a sophisticated plot to steal the credentials of more than 2,000 individuals, including high-level U.S. government officials, according to a report released Thursday by a cyber intelligence group.

Security experts said the hackers painstakingly developed at least fourteen fake personas to befriend military and diplomatic targets across the gamut of social media platforms, especially Facebook and LinkedIn. Once they had successfully connected with their targets, the hackers used "spear-phishing" attacks to steal email passwords or planted malware on the victims' computers.

The so-called Newscaster scheme went undetected for three years until it was revealed this week by Dallas-based cyber intelligence consultancy iSIGHT Partners. Analysts called it a relatively low-tech but highly effective feat of “human engineering” – an approach to cyber espionage that points to an evolution in the way hackers obtain government and defense secrets through the back doors of personal social media accounts.

“The average cyber espionage act differentiates itself by its technical sophistication; there’s a kind of arms race going on for new malware, things of that nature,” said John Hultquist, head of Cyber Espionage Intelligence for iSIGHT. “What sets Newscaster apart is that these actors focused instead on the human element.” 

The hackers created and populated a range of social media accounts for each of six “reporters” with the fake news website NewsOnAir.org, which repurposes articles from Reuters, The Associated Press, the BBC and others, and was still publishing fresh content as of Thursday. Another eight personas claimed to work for the U.S. government or defense contractors.

Far from a hit-and-run cyber crime, the Newscaster scheme took a patient approach that involved years of building realistic personalities online, slowly connecting with friends and contacts of the intended targets in order to build credibility. The personas tweeted, updated their work history on LinkedIn, and posted family pictures to Google+. One persona even maintained a blog about her battle with depression.

The Newscaster accounts ultimately connected with at least 2,000 targets, including U.S. military and diplomatic personnel, Congressional officials, journalists, think tanks, defense contractors, Israeli officials, and others to covertly obtain email passwords and other personal security information through so-called “spear-phishing” attacks – prompting victims to enter their passwords into fake log-in fields that looked just like the user’s webmail client.

iSIGHT could not reveal the names of those targeted by the scheme, and said it was also not clear how many of the targets had actually entered their credentials, which would then have been captured and exploited, or how many had inadvertently downloaded accompanying malware the hackers occasionally deployed. But iSIGHT said that “it is reasonable to assume that a vast amount of social content was compromised in addition to some number of log-in credentials.”

“If it's been going on for so long, clearly they have had success,” iSIGHT Executive Vice President Tiffany Jones told Reuters.

Some personas even used the names or photos of real people. One called herself Sandra Maler, a real-life journalist with Thompson Reuters in Washington, though it used photos of an entirely different woman.

Although NewsOnAir is still live, the social media accounts of the Newscaster personas have been removed from the Internet.

LinkedIn spokeswoman Nicole Leverich told Al Jazeera that LinkedIn had received the iSIGHT report and was looking into the claims. "None of the specific profiles cited in the report are currently active on LinkedIn,” she said.

A Facebook spokesman, Jay Nancarrow, told Al Jazeera that Facebook discovered the hacking scheme separately from iSIGHT while it was investigating reports of suspicious friend requests.

“We removed all of the offending profiles we found to be associated with the fake NewsOnAir organization, and we have used this case to further refine our systems that catch fake accounts at various points of interaction on the site and block malware from spreading,” Nancarrow said.

iSIGHT believes the Newscaster scheme originates in Iran because NewsOnAir.org was registered in Tehran and likely hosted by an Iranian provider. It also said the hackers seemed most interested in U.S. and Israeli defense secrets, and used the Persian word “Parastoo” as a password for their malware. The hackers also worked during normal business hours in Tehran, within the country’s Sunday-Thursday work week.

iSIGHT has briefed federal authorities, including the FBI’s Cyber Task Force, on Newscaster. The FBI told Al Jazeera it was aware of the report but that it had no comment.

While the group could not confirm whether the hackers had ties to the Iranian government, cyber security analysts said the considerable intelligence and resources that were required to run Newscaster since at least 2011 pointed to state involvement.

“They’re not doing this for a quick buck, to extrapolate data and extort an organization. They’re in it for the long haul,” said Franz-Stefan Gady, a senior fellow at the EastWest Institute and a founding member of the Worldwide Cybersecurity Initiative. Sophisticated human engineering has been the “preferred method of state actors” for several years, he said.

The Chinese army's cyber unit has carried out scores of similar phishing schemes to attack U.S. government agencies and major companies such as Coca-Cola and The New York Times over the past five years or so.

But Iranian hackers, who may or may not be sponsored by Tehran, have ramped up their activity online ever since the Stuxnet worm struck Iran's nuclear program in 2010. Tehran blamed the U.S. and Israel for that attack.

Morgan Marquis-Boire, a cyber-security researcher at the University of Toronto’s Citizen Lab, added that the Newscaster scheme appeared to be the work of the same actors Citizen Lab has seen performing malware attacks on Iranian dissidents and journalists for at least two years. “They share infrastructure with the campaigns reported by iSIGHT, and also use similar malware implants,” he said.

The danger inherent in these schemes is that when employees with access to secret information are targeted on their personal accounts, their employers have no idea there’s been a breach. All it takes is one employee falling prey to a hacker's bait, and an entire organization’s security can be compromised.

Gady also pointed out that the demographics of computer literacy play to the hacker’s advantage: “The problem is that senior executives are especially vulnerable to spear-phishing and those types of attacks because they’re not as familiar with social media, and they tend to be more trusting online than people in their 20s or 30s.”