Cyber intelligence firm iSIGHT Partners uncovered a new threat from Iran - dubbed NEWSCASTER - targeting the public and private sector in the U.S., Israel, UK and beyond using social media. The firm believes Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign, working undetected since 2011.
The campaign targets senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel, as well as others who are vocal supporters of Israel to covertly obtain log-in credentials to the email systems of their victims. Additional victims in the U.K. as well as Saudi Arabia and Iraq were targeted.
The fake personas claim to work in journalism, government, and defense contracting. These accounts are elaborate and have created credibility using, among other tactics, a fictitious journalism website, newsonair.org, that plagiarizes news content from other legitimate media outlets.
These credible personas then connected, linked, followed, and "friended" target victims, giving them access to information on location, activities, and relationships from updates and other common content, according to iSight.
Accounts were then targeted with "spear-phishing" messages. Links which appeared to be legitimate asked recipients to log-in to false pages, thus capturing credential information. It is not clear at this time how many credentials the attack has captured to date.
ISight said it had alerted some victims and social networking sites as well as the U.S. Federal Bureau of Investigation and overseas authorities.
Facebook said it had discovered the hacking group while investigating suspicious friend requests and other activity on its website.
LinkedIn said the site was investigating the report, though none of the 14 fake profiles uncovered by iSight were currently active.