Skip to main content

Iranian hackers ran an elaborate social media campaign to steal state secrets, report claims

Iranian hackers ran an elaborate social media campaign to steal state secrets, report claims

Share this story

Four years ago, a virus called Stuxnet, strongly suspected to come from the US or Israel, was found in Iranian nuclear facilities. Now, a group of Iranian hackers may have spent years running a convoluted plan to steal government credentials through social media. A report from cybersecurity consulting group iSight Partners claims that since 2011, a phony news agency called NewsOnAir has been building online ties with senior military and diplomatic officials, personnel from ten or more US and Israeli defense contractors, and bureaucrats with a "particular concentration" around North Carolina (home of Fort Bragg and several other military bases.)

NewsOnAir uses existing phishing and social engineering tactics to gain their targets' trust. Creating at least 14 fictional identities, they first looked for the target's existing connections on a social network, posing as journalists, military members, or defense contractors. At least some people would respond to a friend request, giving them a veneer of credibility. Then, they would connect with the actual target, sometimes tailoring the profile to reflect a direct connection with their company. Fake names were either made up wholesale or lifted from actual people, including Reuters journalist Sandra Maler, and the identities operated Twitter accounts, Facebook pages, Wordpress blogs, and LinkedIn profiles, some of which have now been deleted. The central Twitter Account, @NewsOnAir2, appears to have last posted several months ago.

The central site, which remains operational, posts real articles, but they're simply pulled from news agencies like Reuters and given a new byline. Its other content can be stilted to the point of surreality. The site description is just the first paragraph of Wikipedia's entry for "broadcasting." Facebook and Twitter accounts post links to these articles and other pages, some of which are equally awkward. A poll posted by "Joseph Nilsson" on Facebook, archived by iSight, asks readers whether they prefer "nature beauty" (a pond) or "human related beauty" (a beautiful woman.) These social media posts, according to the report, are meant to clinch the hackers' victory. They would send readers to fake login pages for Yahoo, Google, and Outlook Web Access, asking them to enter their credentials before redirecting them to the content. The ultimate goal, it's speculated, would be to conduct military surveillance or steal state secrets, revealing details about US-Israeli relations or even information about weapons programs.

Were any of the targets who friended NewsOnAir members taken in by the phishing scheme? It's not clear. The report directs potential victims to call the FBI's Cyber Task Force; the bureau didn't confirm or deny whether it had received any complaints, or whether it was aware of the network beforehand. iSight says it's "reasonable" to assume "a vast amount of social content was compromised in addition to some number of log-in credentials," but that appears to be based largely on conjecture. The group declined comment on any further details. The report also doesn't definitively say whether the group is Iranian. Among other things, the central domain was registered in Tehran, and members posted on a schedule consistent with normal business hours in the city. iSight also cites the "distinctly Persion" term "parastoo," used as a password for malware related to the group. If the report is correct, it certainly wouldn't be the most destructive campaign around, but it would undoubtedly one of the most elaborate.

Update May 29th, 2014 1:15pm: Updated with response from iSight.