Iranian hacker team creates false identities to target Facebook friends

Espionage team creates fake identities on social networks, then builds relationships it can exploit with key international figures

PUBLISHED : Thursday, 29 May, 2014, 9:58pm
UPDATED : Friday, 30 May, 2014, 1:42am

In an unprecedented, three-year cyber espionage campaign, Iranian hackers created false social-networking accounts and a fake news website to spy on military and political leaders in the United States, Israel and other countries, a cyber intelligence firm said yesterday.

ISight Partners, which uncovered the operation, said the hackers' targets included a four-star US navy admiral, US lawmakers and ambassadors, members of the US-Israeli lobby, and others from Britain, Saudi Arabia, Syria, Iraq and Afghanistan.

The firm declined to identify the victims and said it could not say what data had been stolen by the hackers, who were seeking credentials to access government and corporate networks, as well as infect machines with malicious software.

"If it's been going on for so long, clearly they have had success," said iSight executive vice-president Tiffany Jones. The privately held company is based in Dallas, Texas and provides intelligence on cyber threats.

ISight dubbed the operation Newscaster because it said the Iranian hackers created six "personas" who appeared to work for a fake news site, which used content from the Associated Press, BBC, Reuters and other media outlets. The hackers created another eight personas who purported to work for defence contractors and other organisations, iSight said.

The hackers set up false accounts on Facebook and other social networks for these 14 personas, populated their profiles with fictitious personal content, and then tried to befriend target victims, according to iSight.

The operation had been active since at least 2011, iSight said, noting that it was the most elaborate cyber espionage campaign using "social engineering" uncovered to date from any nation.

To build credibility, the hackers would approach high-value targets by first establishing ties with the victims' friends, classmates, colleagues, relatives and other connections over social networks run by Facebook, Google and YouTube, LinkedIn and Twitter.

The hackers would initially send the targets content that was not malicious, such as links to news articles on in a bid to establish trust. Then they would send links that infected computers with malicious software, or directed targets to websites that asked for log-in credentials, iSight said.

The hackers used the 14 personas to make connections with more than 2,000 people, the firm said, adding that it believed the group ultimately targeted several hundred individuals.

"This campaign is not loud. It is low and slow," said Jones. "They want to be stealthy. They want to be under the radar."

ISight said it had alerted some victims and social networking sites as well as the US Federal Bureau of Investigation and overseas authorities.

Facebook spokesman Jay Nancarrow said the company had discovered the hacking group while investigating suspicious friend requests and other activity on its website.

"We removed all of the offending profiles we found to be associated with the fake News- OnAir organisation, and we have used this case to further refine our systems that catch fake accounts at various points of interaction on the site and block malware from spreading," Nancarrow said.

LinkedIn spokesman Doug Madey said the site was investigating the report, though none of the 14 fake profiles uncovered by iSight were currently active.

ISight disclosed its findings as evidence emerges that Iranian hacking groups are becoming more aggressive.

Cybersecurity company FireEye reported this month that a group known as the Ajax Security Team had become the first Iranian hacking group to build malicious software for espionage.

Iranian hackers stepped up their activity in the wake of the Stuxnet attack on Tehran's nuclear programme in 2010. The Stuxnet computer virus is widely believed to have been launched by the US and Israel.

ISight said it could not ascertain whether the hackers were tied to the government in Tehran, though it believed that they were supported by a nation state because of the complexity of the operation.

The firm said was registered in Tehran, and was likely hosted by an Iranian provider.