Iranian state targeted the public and private sector in the US, Israel, UK and beyond using social media.
Iranian hackers use more than ten fake identities on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated long-term cyber espionage campaign. At least 2,000 people are caught in the snare and are connected to the false identities.
This campaign is working undetected since 2011 and targets senior American military and diplomatic personnel, congressional personnel, Washington DC journalists, US think tanks, defense contractors in the US and Israel, and others who are loud supporters of Israel to covertly obtain log-in credentials to the email systems of these victims. They targeted also additional victims in the UK as well as Saudi Arabia and Iraq.
The targeting, operational schedule and infrastructure used in this campaign is consistent with Iranian origins.
The fake identities claim they work in journalism, government and defense contracting. These accounts are elaborate and create credibility using among other tactics a fictitious journalism website newsonair.org that copies news content from other media outlets.
These credible identities then connected, linked, followed and friended target victims to get access to information on location, activities and relationships from updates and other common content.
These identities then targeted accounts with spear-phishing messages. Links which appeared to be legitimate asked recipients to log in to false pages to capture credential information. It is not clear at this time how many credentials the attack captured so far.
Additionally this campaign is linked to malware. While the malware is not very sophisticated, but it includes capability that can be used for data exfiltration.
The discovery and investigation of the attack reveals three critical insights:
Social media offers a powerful and hidden route to target key government and industry leadership through an external base possibly outside of existing security measures.
With reference to targeting associated with this campaign it is possible that Iranian hackers used accesses gained through these activities to support the development of weapon systems, reveal the disposition of the US military or the US alliance with Israel or give an advantage in negotiations between Iran and the US. Furthermore it is possible that any access or knowledge could be used as reconnaissance-for-attack before disruptive or destructive activities
These adversaries are improving in finding and exploiting opportunities to carry out cyber espionage, even if they lacked sophisticated capability. NEWSCASTER’s success is largely due to patience, brazen nature and innovative use of multiple social media platforms.
It seems that the NEWSCASTER network targets mainly senior military and policymakers, companies associated with defense technology and the US-Israel lobby, however there are also victims in the financial and energy sectors as well as elsewhere and only a part of the accounts connected to this network were seen. Organizations involved in critical infrastructure or have information that may be of strategic or tactical interest to a nation-state adversary should be concerned about a threat such as this.
On one of the official webpages of the popular TrueCrypt encryption program it is written that development has ended suddenly and warns users of the decade-old tool that it isn’t safe to use the tool.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” text in red at the top of TrueCrypt page on SourceForge states. The page continues: “This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
Online marketplace eBay is forcing users to change their passwords after a cyber-attack compromised its systems.
The US firm said a database was hacked between late February and early March and had contained encrypted passwords and other non-financial data.
The company added that it has no evidence of unauthorised activity on its members accounts.
However it said that changing the passwords is “best practice and will help enhance security for eBay users”.
The California company has 128 million active users and recorded $212bn commerce on its various marketplaces and other services in 2013.
Facebook said it will contact users via email, its website, adverts and social media to alert them of the issue.
Cyber-attackers accessed the information after obtaining “a small number of employee log-in credentials”, that allowed them to access its systems, which facebook first became aware of this only two weeks ago.
Facebook said: “The database… included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.
However, the database did not contain financial information or other confidential personal information.
Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.”
Although the firm also owns the PayPal money transfer service, but it said that the PayPal data is stored separately and encrypted and there is no evidence that it was accessed.
Communications Minister Mahmoud Vaezi said on Wednesday that Iran plans to introduce “smart filtering” which only keeps out sites which the Islamic government considers them to be immoral to loosen internet censorship.
Internet use is high in Iran partly because many young Iranians use the internet to bypass an official ban on western cultural products and Tehran occasionally filters popular websites such as Twitter and Facebook.
Censorship has weakened somewhat since Hassan Rouhani was elected last year as a moderate and the smart filter initiative seems to reflect this.
Vaezi said: “We have signed agreements with three universities and research institutes to develop smart filtering to block only depraved and immoral sites but allow access to other pages,” but without naming the organisations involved.
Mehr news agency quoted Vaezi who said to journalists: “Smart filtering is used for specific targets only and presently the project is undergoing experiments.”
The minister did not make clear what would be considered depraved and immoral, but Iranian clerics frequently use the terms to mean anything from pictures of women in revealing Western clothing to outright pornography.
But he dismissed rumours that Tehran will start filtering the latest teen fashion, WhatsApp Messenger instant messaging service. He added: “What is being said about this matter is mainly nonsense, propaganda.”
Also the Mehr report did not mention the latest internet fashion, a Facebookpage where women post pictures of themselves without their obligatory headscarf.
Cyberspace has been a controversial phenomenon in the Islamic Republic like satellite television and music videos in earlier decades because of political and also moral concerns.
Many in the conservative clerics long opposed the introduction of internet into Iran and since its debut, demanded tighter supervision.
Their offensive peaked during a crackdown on freedom of speech after the mass protests in 2009 against the disputed re-election of former president Mahmoud Ahmadinejad 2009.
Ajax Security Teamwhich has been targeting both US defense companies as well as those in Iran is using popular anti-censorship tools to bypass internet censorship controls in the country.
This group which has its roots in popular Iranian hacker forums such as Ashiyaneand Shabgard, has engaged in website defacements since 2010. However by 2014 this group is transitioned to malware-based espionage with use of methodology consistent with other advanced persistent threats in this region.
It is unclear if the Ajax Security Team operates in isolation or is part of a larger coordinated effort. We observed this group uses varied social engineering tactics to lure targets to infect themselves with malware. They use malware tools that do not appear to be publicly available. Although we did not see the use of to infect victims, members of the Ajax Security Team previously used exploit code in web site defacement operations.
The objectives of this group are consistent with Iran’s efforts to control political dissent and expand offensive cyber capabilities but we believe that members of the group may also be involved in traditional cybercrime. This indicates that there is a considerable gray area between the cyber espionage capabilities of Iran hacker groups and any direct Iranian government or military involvement.
Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations are somewhat successful. We assess that if these actors continued the current pace of their operations they will improve their capabilities in the mid-term.
Web browsers generally allow users to send a “Do Not Track” signal that informs advertisers that the users do not want to be tracked for the purposes of sending personalized ads.
But this is more a futile exercise because websites and advertising networks are able to ignore the signal. Even Yahoo which was honoring Do Not Track requests, decided to stop doing so this week.
The Electronic Frontier Foundation may have a solution. Last night, the group announced “Privacy Badger,” an extension for Chrome and Firefox “that analyzes sites to detect and disallow content that tracks you in an objectionable, non-consensual manner.”
Privacy Badger doesn’t block ads automatically. The group explained:
“When you visit websites, your copy of Privacy Badger keeps note of the “third-party” domains that embed images, scripts and advertising in the pages you visit. If a third-party server appears to be tracking you without permission, by using uniquely identifying cookies to collect a record of the pages you visit across multiple sites, Privacy Badger will automatically disallow content from that third-party tracker. In some cases a third-party domain provides some important aspect of a page’s functionality, such as embedded maps, images, or fonts. In those cases, Privacy Badger will allow connections to the third party but will screen out its tracking cookies.”