Iranian hackers set up fake news website, and posed as journalists on Facebook to spy on United States and others
Security researchers claim to have uncovered a three-year-old internet espionage campaign, targeting military personnel, diplomats, and defence contractors in the United States and Israel.
The campaign, dubbed “NEWSCASTER” by iSIGHT Partners, saw more than a dozen fake profiles created on social networking sites like Facebook, Twitter and LinkedIn, pretending to be journalists, government or defence workers.
The hackers managed to dupe at least 2000 potential targets to connect with them on social networks, increasing their credibility in the eyes of others by being seen to have existing business and social relationships.
Amongst other tactics, the hackers are said to have created a bogus news website – newsonair.org (not to be confused with newsonair.com, a legitimate Indian news operation) – that plagiarised news content from other sources.
From my exploration the site does indeed scrape content from legitimate news outlets. For instance, here is a story that newsonair.org published in September 2013 about the iPhone 5S fingerprint sensor quoting me:
And here is the original article, published by CNN:
Now, scraping legitimate news websites – although deeply annoying to those who have worked hard and spent money creating that content – isn’t sadly unusual, and definitely isn’t evidence of internet espionage.
But it should make observers question the legitimacy of the site, and the journalistic credentials of anyone who claims to be connected with it.
In its report, iSIGHT Partners says that the motivation behind the cybercriminal campaign was to steal login credentials for victim’s email accounts, by sending them phishing messages that asked them to login to webpages (presumably to view breaking news articles).
In some cases these phishing pages would have probably presented themselves as the login pages for social networks like Facebook.
It’s not a sophisticated method of attack, but with many users lazily choosing to recycle the same passwords on multiple websites it could lead to hackers gaining access to the login credentials for other important sites, from where they could glean information and conduct reconnaissance.
In addition, iSIGHT Partners says that the attackers used “not particularly sophisticated” malware to exfiltrate data from compromised computers.
The investigators strongly suspect that the threat originated in Iran. This is partly based upon the location of the victims targeted (United States, Israel, Iraq, UK, Saudi Arabia), but also – perhaps surprisingly – upon the hours that the hackers kept:
Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent. They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day. These hours conform to work hours in Tehran. Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend. Other clues, such as the targets on which the operators have chosen to focus and additional technical indicators, lead us to believe NEWSCASTER originates in Iran.
It is, of course, always hard to be 100% certain when pointing a finger at a particular country regarding an internet attack. It is, after all, very easy to cover your tracks on the net, and disguise an internet attack to give the impression of coming from a different country.
It is even harder still to prove an attack was state-sponsored, and had the backing of a particular government.
At the same time, it would be wise not to be naive. Ultimately, you have to ask yourself who would have the most to gain from spying on particular countries and particular organisations within those states.
This particular attack may have been relatively low-tech, but it does underline that everyone needs to be vigilant about who they trust online – whether it be a news website or a new connection on a social network. Vigilance can help prevent your organisation from being the next one successfully targeted.
In addition, always use strong, hard-to-crack passwords and ensure that you are never re-using the same passwords on multiple sites.