What happens when hackers do not have the sophisticated knowledge or equipment to hack into government systems? They use social engineering to target the weakest link in the security chain.
Cyber intelligence firm iSight Partners released a report Tuesday that says a group of hackers allegedly from Iran have been participating in an elaborate three-year campaign dubbed Newscaster to spy on high-ranking defense officials, lawmakers, journalists and defense contractors in the U.S., Israel, U.K., Saudi Arabia and Iraq by connecting with their targets using a variety of interconnected social media profiles on Facebook, LinkedIn, Twitter, Google+, YouTube and Blogger.
"We infer, from our limited knowledge of NEWSCASTER targeting, that such intelligence could ultimately support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S., especially with regards to sanctions and proliferation issues," writes Stephen Ward, senior director of marketing at iSight.
The hackers created over a dozen fake profiles across various social networking platforms and filled their profiles with fictitious content. For example, one hacker shared the photo of a dog that allegedly died in its owner's arms while another posted about being lonely. They also posted links to non-malicious content, such as videos and news articles posted on NewsOnAir.org, a fake news website that published articles ripped off from CNN and BBC and created by the hackers to further bolster their bid for trust.
The hackers would then reach out to the targets' family, friends or old classmates from high school before initiating contact with the targets themselves. Once trust is established, they would send malware-embedded links that led to false pages asking for the targets' credentials.
iSight says it does not know what kind of information the hackers have obtained, although it assumes that "a vast amount of social content was compromised in addition to some number of log-in credentials that can be used to access additional systems and information," since people usually use the same log-in information for multiple websites.
iSight used malware analysis, open source research and information from its global collection network to arrive at the conclusion that the hackers are from Iran. Ward says the hackers maintained a schedule consistent with Tehran's working hours. The hackers had their lunch during Tehran's lunch hour and worked only half the day on Thursday and took the day off on Friday, Tehran's weekend.
"This attack is decently technical, but most of it is cleverness and time," says Jason Healey, director of the cyber statecraft initiative at the Atlantic Council. "Iran believes they are facing dangerous attacks by Israel, dangerous attacks by the U.S., and they know they have to come up with some clever stuff."
iSight is currently coordinating with the Federal Bureau of Investigation to assess the impact of the attack on critical infrastructures and agencies.
For its part, Facebook says it has deleted the fictitious profiles after discovering "suspicious" friend requests a week ago. LinkedIn is also investigating the profiles in question.