Details regarding a suspected Iranian cyber espionage unit that sought to target a range of US targets via social media have emerged in this period. On 29 May a report released by the Dallas-based cybersecurity firm iSight Partners outlined a three-year long campaign fraudulently to use a number of social media platforms – including Facebook, Twitter, LinkedIn, Google+, YouTube, and Blogger – to extract login details to more sensitive accounts. Dubbed operation Newscaster, the perpetrators set up the fake media outlet NewsOnAir.org and used individuals posing as journalists to gain credibility with the victims. This trust could subsequently be used to get the targets to follow links, which could install malware on their machines or retrieve their account details. The targets were predominantly members of the US military, Congress, as well as various journalists, defence contractors, and lobbying groups. The perpetrators also sought a smaller number of targets in Israel, Saudi Arabia, the UK, and Iraq.
While concrete attribution is rarely achievable for such incidents, several aspects of the operation suggest responsibility of the state of Iran. These include:
• The registration of the NewsOnAir.org domain in Tehran and its focus on Iranian issues
• The longevity of the campaign (which dates back to 2011) and its sophistication, suggesting the allocation of significant resources to the operation
• Daily work activity patterns which conform with the time difference in Iran and, along with a definable regular lunch break, suggest a level of organisation associated with a state-level actor rather than “patriotic” hackers
• Weekly work patterns that similarly match the Iranian model, with a relative absence of activity on Thursday afternoons and Fridays, which form the weekend in Iran
• Alignment of targeting with Iranian strategic interests, both in terms of the specific technology sought from defence contractors, and the focus on political issues such as the US-Israel relationship and nuclear non-proliferation
Though the relative lack of information means that it is impossible to quantify the exact amount of
Users are therefore advised to avoid clicking on spurious links commonly claiming to offer previously unseen footage of recent or paranormal events; to use strong and unique passwords rather than recycling those used for their official and more sensitive accounts; and to avoid connecting with strangers – notably, this operation predominantly used photos of attractive young women to increase the chance of being accepted by targets. Finally, social media users working in sensitive environments should also be wary of sharing even seemingly innocuous work related information on platforms such as Twitter and Facebook. Any publicly disseminated material may be incorporated into an approach by a potential spear-phisher, and this tactic remains increasingly significant.