iranian cyber espionage using linkedin, facebook, twitter to target thousands

NEWSCASTER – Iranian Cyber Espionage using Facebook, LinkedIn, Twitter…

An iSIGHT Partners Overview

Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com

2

iSIGHT Partners200+ experts, 16 Countries, 24 Languages, 1 Mission


Mission Global Reach

Be the world’s leading global cyber threat intelligence provider, connecting security technology and operations to the business.

3

NEWSCASTER

Cyber-espionage campaign Links to Iran Targeting high and low ranking personnel in multiple countries – US, UK, Israel, Saudi Arabia, Iraq

– U.S. military – Congressional personnel – Washington D.C. area journalists – Diplomatic corps – U.S. Defense contractors– Israeli Defense contractors – Members of the U.S./Israeli lobby

Utilizing social media platforms as targeting platform – Facebook – LinkedIn – YouTube – Twitter


4

NEWSCASTER

Active since at least 2011

More than a dozen elaborate principal personas; many supported by the fictitious news organization NewsOnAir.org

– Included at least two legitimate identities (falsified) from leading news organizations

Thomson Reuters Fox News

More than 2,000 targets and legitimate individuals

connected to the network – High probability of a vastly wider reach

Brash and complex, reliance on social engineering and spear-phishing for credential harvesting, use of malware with data exfiltration capabilities


5

NEWSCASTER PersonasPersona Purported Profession Known Platforms Known

ConnectionsSandra Maler Reporter, NewsOnAir LinkedIn, Facebook, Twitter,

Google226

Adia Mitchell Reporter, NewsOnAir LinkedIn, Facebook, Twitter, Wordpress

281

Amanda Teyson Reporter, NewsOnAir LinkedIn, Facebook, Twitter, Google

310

Sara McKibben Reporter, NewsOnAir LinkedIn, Facebook UnknownJoseph Nilsson Founder, NewsOnAir LinkedIn, Facebook 231Jane Baker (Ava T. Foster) Reporter, NewsOnAir LinkedIn 30Mary Cole Recruiter for Defense

Contractor LinkedIn, Facebook, Google 500+

Berna Achando Web Designer for Defense Contractor

LinkedIn, Facebook 151

Jeann Maclkin Systems Administrator for US Navy

LinkedIn, Facebook, Blogger, YouTube

500+

Alfred Nilsson Talent Acquisition for Defense Contractor

LinkedIn, Facebook Unknown

Josh Nilsson (Josh Furie) IT Manager for Defense Contractor

LinkedIn, Facebook 130

Dorotha Baasch IT Analyst for Defense Contractor

LinkedIn, Facebook Unknown

Kenneth Babcock CPA and Tax Advisor for Payment Processor

LinkedIn, Facebook, Google Unknown

Donnie Eadense Information Systems Manager for Defense Contractor

LinkedIn 118


Interconnected Multi-platform Pictures taken from bystanders

and the moderately famous Young, pretty women used

Secondary personas legitimize principals

NewsOnAir.org created to legitimize multiple personas

6

Elaborate Support for Personas


7

NewsOnAir.org


Kimberly Gulifoyle

8

NewsOnAir.Org: A Front News Agency


Fake journalists share NewsOnAir.orglinks on social media networks.

5

Article reposted to NewsOnAir.org with original authorship removed

2Real News articles from Reuters, AP, BBC, other resources.

1 Links tweeted from @NewsOnAir24

ArticleNews

By Amanda Teyson

Amanda Teyson Persona

Persona’s name attached in byline3 By Amanda

Teyson

9

Malicious Activity

Social networking as reconnaissance tool and propagation method

Credential collection capability

Low-sophistication malware– IRC malware

Other capabilities anticipated


10

Malicious Activity


Link leads to fake login portal.

4 Unsuspecting target directed to content.6

User credentials captured, stolen.5

NEWSCASTER Network (Multiple Fake Personas)

Targeted HVT approached with connection request.2

Malicious link sent to target3

High Value TargetFriends of HVT approached first with request.

1

11

Iranian Ties


Infrastructure Tehran registration “Parastoo”

Iranian content Targeting Tehran working hours and

days

12

Implications

Method is not novel

What this group lacks in technical sophistication they make up for in brashness, creativity, and patience

We infer from the length of this operation is indicative of at least marginal success

Defense requires a human touch


Cyber Espionage

13

NEWSCASTER SUMMARY 3+ year Cyber-espionage campaign with links to Iran

Targeting high and low ranking personnel in multiple

countries – US, UK, Israel, Saudi Arabia, Iraq – U.S. military – Congressional personnel – Washington D.C. area journalists – Diplomatic corps – U.S. Defense contractors– Israeli Defense contractors – Members of the U.S./Israeli lobby

Utilizing social media platforms as targeting platform – Facebook – LinkedIn – YouTube – Etc.

More than 2,000 targets and legitimate individuals caught in the net

– Credential harvesting – Access to corporate and personal emails – Malware with data exfiltration capabilities


Today’s Cyber Security Challenges

CISOs finding it difficult to define security ROI to executivesShort shelf life for CISOs

Vastly expanding attack surface areaMobile, cloud, virtualization, global business operations

Large protection investments and no good prioritization filterWho, why, when, how

Operational chaosToo many alarms, not enough people, poor prioritization

“Brain dead” security tools that rely on past events/signaturesVerses extremely agile adversaries

Severe breaches continue…

Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 14

15

How Can Cyber Threat Intelligence Help?

1. Be Proactive

2. Shrink the Problem

3. Improve Prioritization

4. Enhance Executive Communications

5. Connect Security With Business


CISO Recommendation:“Use a commercial threat intelligence service to develop informed tactics for current threats, and plan for threats that

may exist in the midterm future.”

Rob McMillan & Kelly KavanaghTechnology Overview for Security Threat Intelligence

Service ProvidersPublished: 16 October 2013

iSIGHT Partners – What We Do

Cyber Crime

Cyber Espionage

Distributed Denial-of-Service

Enterprise

Hacktivism Mobile Vulnerability and Exploitation

Analyst Access Global Response

ThreatScape® Subscriptions

!

ThreatScape Technologies

ThreatScape API

ThreatService™

Engagements

Bundled Analyst Research

!Partner Integrations

Threat DiagnosticsIntelligence Integration

Breach Diagnostics


Formal Research ProcessYields Rich, Contextual Threat Intelligence

Intelligence Requirements Created Based on Clients, Sectors and Adversaries

RequirementsPrioritized by Analysts,Matched toCurrent Holdings then Passed to Research Teams

Collection Planning and Tasking ofGlobal Teams

Requirements Collected by Unique Global Teams and returned toFusion Center

Processing and ExploitationTo StandardizeMultiple Information Sources Ready for Analysis

Analysis ofInformation and Production of Reporting for Clients

Fully fused,Corroborated,Cross-referencedand EditedMulti-sourceIntelligence ReportingDisseminated toClients

Client Feedback,Refinement of IntelligenceProduct

IntelligenceRequirementsRequested From Client

? iFeedback &Clarification

Analysis DisseminationCollection

Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved 17

How We Deliver:Fully Integrated Dissemination Model


Executive SummaryStandards

Context…The campaign is related to other Gameover Zeus

analyses as it uses a similar attack infrastructure and campaign identifiers.

Malicious hyperlinks within the message point to pages hosted on compromised websites that contain no visible

content, but do load one JavaScript file:hxxp://crazytraintour.com.ar/jie3Qd6E/js.js

Executives

Risk, Intel, Fraud

SOC

Incident Response

Tech Security Controls

Standard Formats

Consumers

Technology Partners

ThreatScape® API

MySIGHT Portal

Email

TechnologiesThreatScape

PGPHTML

TXT

XML

JSON

STIX

PDF

CSV

Data

On April 10, 2012, iSIGHT Partners observed a mass

mailing targeting chief financial officers (CFOs) with a fraudulent e-mail titled, "CFO

Bulletin Update.”

Size: 305704 bytesMD5: 5bda9aea96360d9260d7cf38b416af8cDigital Signature: This file is digitally signed by 'nYZbvA3YL8XjBMx’Certificate Validity: 04/10/2012 to 01/01/2040Timestamp: 2010:11:01 22:56:53+01:00Company Name: Microsoft CorporationFile Description: Windows Disk Diagnostic User ResolverFile Version: 6.1.7600.16385 (win7_rtm.090713-1255)Internal Name: DFDWiz.exe...

19

At the Ready to Help

Stephen Ward: [email protected]

www.isightpartners.com

Request more information: [email protected]


mailto:[email protected]

http://www.isightpartners.com/

mailto:[email protected]

iSIGHT Partners

200+ experts, 16 Countries, 24 Languages, 1 Mission

iranian cyber espionage using linkedin, facebook, twitter to target thousands

Internet

iran targeting

low ranking

rights reserved

defense contractor

newsonair

isight partners

confidential

multiple countries