Even after data breaches at multiple agencies and overall vows to do better on cybersecurity, government employees continue to be duped by cyber attackers’ phishing emails. A New York Times report today says over the past month, Iranian hackers successfully used spear phishing emails — specifically designed messages meant to convince a victim to enter account credentials — against State Department officials to gain access to their social media and email accounts. Staffers only discovered their accounts were compromised when Facebook alerted them to suspicious activity. Apparently none of them used two-factor authentication. Iran allegedly targeted these government workers, who focused on Iran and the Middle East, to gain access to their friend network, which presumably consisted of others in the agency.
Social media access can provide ample opportunity to gain insight into people’s connections and communications. An attacker can leap from account to account and possibly gain access to thousands of users by going off just one person’s friend list. The Wall Street Journal reported, for instance, that this attack model helped the country build a case against Jason Rezaian, the Washington Post’s Tehran bureau chief, who was found guilty of espionage. His brother claims the government used his social media accounts to "engage and entrap his friends." The state media conveyed Rezaian as integral to a US spy ring, which his family and employer have denied. The closed-door court sessions, however, don’t allow Americans to see how the case was built.
Apparently none of them used two-factor authentication
Iranian hacking efforts date back to more than a year ago with a major escalation in efforts after the Stuxnet virus destroyed possibly 1,000 of the country’s nuclear centrifuges. That was in 2012. More recently, an Iranian cyberattack was blamed for more than $40 million in damages at the Sands Casino in Las Vegas this past year. From May 2014 and until this summer, iSight Partners, a cybersecurity consulting group, and Check Point, an Israeli cybersecurity company, detailed Iranian hackers’ use of social media to steal government credentials, similarly to this most recent campaign. In these past instances, attackers often posed as reporters and members of a fake news agency to gain access. Their phishing attempts succeeded more than a quarter of the time. However, that effort died down around the signing of the Iranian nuclear deal this past summer. It wasn’t until August that they picked back up.
Facebook's state-sponsored attack alert tool launched in October, at which point the State Department recognized the return of Iran's cyberespionage endeavors.