Iran appears to be the hidden hand behind a three-year cyber-espionage campaign aimed at stealing information from leading high-ranking US military and diplomatic officials via an elaborate fake online news operation, according to a new report.
In spirit, if not daring, the fake news operation offers a whiff of e-payback for the CIA’s own fake movie-making gambit of 35 years ago, as dramatized in the movie “Argo,” in which US Embassy staff who evaded Iranian revolutionary hostage-takers were rescued.
Fake news stories, a fake media mogul who supposedly owned the news site they appeared on, his fake friends, and fake reporters who worked for him were all part of an extensive structure of fictitious personas, pictures, and messages strung across a host of social media sites including LinkedIn, Facebook, and Twitter.
That network was used to win “friend” status from about 2,000 targeted people – including senior military officers and diplomats, says the report by iSight Partners, a Dallas cyber-security company.
Once connected, the cyber-spy “friend” sent the targets poisoned links to websites that then stole the targets’ passwords and other login information. That permitted the spies to harvest e-mail and other data from those systems.
Dubbed “Newscaster” by iSight investigators, the operation employed a slick but entirely fake site called NewsOnAir.org. On the site, the text of actual news stories was plagiarized and credited to fake journalists. Twitter was often used to send links to the articles to victims. Fake web pages of what appeared to be Yahoo, Google, and Outlook Web Access appeared, requiring login information, which was sent to computer servers in Iran.
“The network was principally leveraged against US and Israeli targets in public and private sectors ... with deliberate attempts to connect with certain entities suggest an interest in political, military, diplomatic, and technical intelligence,” the report said. “The majority of personas purport to be journalists, members of the military or defense contractors.”
The fake network, while not especially technically sophisticated, shows that Iran is expanding its offensive cyber-capabilities, experts say.
“This is an Iranian attempt to get smart on US policymaking – quite probably to give them insight into how the US will respond or react in these nuclear talks,” says Ilan Berman, vice president of the American Foreign Policy Council, a Washington think tank.
The news site and other fake sites associated with it appear to have been created about the time that Iran was crunched by US sanctions and under tremendous pressure to negotiate on reducing its nuclear program, adds John Bumgarner, a former intelligence officer.
“Someone went to a lot of effort to put this together,” he says. “It does seem to parallel the Iranian nuclear program.... And this was a way for Iran to get a look behind the curtain at US intentions.”
Iran is widely credited with carrying out damaging cyber-attacks on oil and gas company computers in Saudi Arabia and Qatar in August 2012. A spate of intense distributed denial of service (DDoS) attacks against US banks began in fall 2012, running for about a year before inexplicably petering out.
Along the way, it seems to have expanded its cyber-spying. While not nearly as sophisticated as the US, Russia, China, or France, Iran’s cyber-espionage efforts included a recent four-month incursion into a US Navy network that put US cyber-counter intelligence on notice, other experts say.
“They’ve put in place the structures, strategy, and have acquired software tools from the black market,” James Lewis, a cyber expert with the Center for Strategic and International Studies, concurred in a recent interview. “They have groups whose job it is to hack.”