Since 2011, hackers based in Iran have used a fake news website and phony social media accounts to spy on political and military leaders in the United States, Israel and other countries, researchers have found.
A new report released by cyber security firm iSight Partners says that over 2,000 people have been targeted by an operation they dubbed Newscaster, which employs a fake news site NewsOnAir.org and fake social media accounts.
The ongoing espionage program is believed to be "carried out by Iranian actors, though there is a dearth of information implicating its ultimate sponsor," the report states.
Newscaster plagiarizes the work of real media outlets "to legitimize their personas as journalists," the firm found.
The “brash and complex” operation, iSight reported, uses social media and “spear-phishing” to contact officials and contractors in an effort to access secret networks and steal sensitive data.
The operation also uses fake personas to make social-media connections, all in attempts to steal email usernames, passwords, and other information.
"What this group lacks in technical sophistication, they make up for in brashness, creativity and patience," the iSight report states.
"We infer from the length of this operation is indicative of at least marginal success."
In addition to the US and Israel, the Newscaster operation may have targeted "high- and low-ranking personnel in multiple countries," including Britain, Iraq, and Saudi Arabia, the report found.
Individual targets included members of the US military, congressional staff, Washington journalists, diplomats, US and Israeli defense contractors, and members of the “US/Israeli lobby.”
For example, the supposed Iranian spies used the name of former United States ambassador to the United Nations John R. Bolton on social media sites in attempts to scheme activists, national security analysts, and other general foes of Iran out of sensitive information, The Daily Beast reported Thursday.
Neoconservative Bolton - former US President George W. Bush’s UN ambassador for just over 16 months in 2005 and 2006 - is known, in part, for his bellicose rhetoric regarding Iran and its nuclear program.
The fake account scam is used to contact targets via LinkedIn’s private chat system. Once a recipient responds, “John R. Bolton” strikes up a conversation to build trust over several weeks before asking the recipient for input on a new website “Bolton” is launching. When the recipient makes it to the website, not yet ready for public viewing, she is asked for an email and password. Should the target proceed, hackers would violate the target’s email.
Experts told The Daily Beast that while there is no bulletproof certainty, the hacks targeting politicos, journalists, activists, and pro-Israel lobbyists fit the pattern of Iranian actors.
John Hultquist, an analyst with iSight Partners, said the “Bolton” account tracked other methods used by Iranian hackers that his company exposed in a new research paper on Iranian cyber-espionage programs using social media.
“We saw connections in neoconservative think tanks as well as the Bahai faith,” Hultquist told The Daily Beast.
He said the targets of the operations – the pro-Israel lobby, Baha’i activists, and others known to take a strict line with Iran – fit the description of those generally subject to Iranian electronic attacks.
In addition, Hultquist found the fake social media profiles were used during business hours in Iran, and that one fake website – newsonair.com – was hosted by Iranian servers, and malware used in attacks contained Persian language in its code.
For his part, the real Bolton told The Daily Beast he was “honored to be selected by the Ayatollahs for this distinction.”
“Maybe I should create a fake Iranian LinkedIn account and offer to give away the country’s nuclear weapons secrets. I will try to get to John Kerry first,” he added.