Iranian regime hackers dangle a familiar name to fish for data
- Published on Saturday, 31 May 2014 11:28
Source: The New York Times
WASHINGTON — Over the years, John R. Bolton has played many roles in Washington. He was American ambassador to the United Nations, where he famously suggested the place could lose many of its floors — and the bureaucrats who worked on them. He was the State Department’s combative counterproliferation chief during George W. Bush’s first term, and these days he regularly appears on Fox News to denounce the Obama administration as weak and feckless.
It turns out he is also the favorite neoconservative of Iranian hackers.
Mr. Bolton said he learned this week that his identity had been stolen by hackers whom a Texas cybersecurity firm identified as a group of Iranians. It is not clear if they were government agents, part of the “cybercorps” that Iran organized after American- and Israeli-developed cyberattacks on its nuclear infrastructure, or whether they were “patriotic hackers.”
But clearly they were in search of information about Washington’s elite. In the old days of the Cold War, they would have operated by hanging out at the Occidental Grill or cocktail parties at the French Embassy, hoping to pick up a bit of loose conversation. These days, they did it by faking a LinkedIn account for Mr. Bolton, and gradually engaging in chats with people who believed they were exchanging thoughts with a man who some conservatives hope will run for president.
“I think the Iranians were after me to get all the secrets that the Obama administration has imparted to me about the Iranian nuclear program,” Mr. Bolton, now a scholar at the American Enterprise Institute here, said dryly on Friday.
“I’m honored they picked me,” he said. “They must have been looking for the most anti-Iranian regime person in Washington. I’m proud to win that award.”
Mr. Bolton was hardly the only one; a report released this week by iSight Partners, a computer security firm in Dallas, said the attacks compromised the computers of roughly 2,000 users. “This marks the emergence of Iran on the cyberespionage landscape,” said John Hultquist, the head of cyberespionage intelligence at iSight.
The campaign described by iSight appears to have started in 2011, just months after the discovery of the Stuxnet computer worm, which attacked Iran’s nuclear enrichment center at Natanz and destroyed upward of 1,000 centrifuges. Ever since, American intelligence officials have viewed Iran as a growing cyberthreat, even if it has a long way to go to catch up with its Russian and Chinese counterparts.
But compared with other cyberattacks, the one aimed at Mr. Bolton — first reported by Foreign Policy magazine and The Daily Beast — was amateurish. It was a “spear-phishing attack,” an effort to get people to respond to an email or other invitation, in hopes of revealing their passwords or contact lists. Mr. Bolton may have been the target, or he may have been collateral damage in a broader attack on the American Enterprise Institute.
Similar attacks have been directed at other think tanks, from the Council on Foreign Relations to the Aspen Institute. In each of those cases, the hackers seemed interested in power brokers, former power brokers, consultants, contractors and journalists, apparently on the theory that those targets have confidential insights into the American government.
“This shows that the Iranians are energetic, and with relatively limited skills they take full advantage of what they can do,” said James Lewis, a cyberexpert at the Center for Strategic and International Studies. “But it doesn’t show them entering the big leagues. This is pretty basic level stuff.”
The iSight report did not say what types of data the hackers were able to steal, but the list of targets suggested that hackers may have been after plans for military weapons systems. A fake website used by the group, NewsOnAir.org, was registered in Tehran and sites that hackers used to deploy their malware were hosted in Iran. The malware of the hackers contained several Persian words, and the time stamps of their activity tracked with professional working hours in Tehran.
The hackers used a dozen fake personas and connected with victims over Facebook, LinkedIn, Twitter and YouTube. They sent malicious links to their targets; the unlucky victims had malware downloaded on their machines.
Among the fake personas employed by the hackers were the names of real journalists. In others, they claimed to be employees at military contractors, a tax adviser and reporters for the fake news organization set up by the hackers.
Some experts said it was remarkable that such techniques still work. “You know, they say that on the Internet no one knows you are a dog,” said Jason Healey, who runs the Cyber Statecraft program at the Atlantic Council, referring to a famous New Yorker cartoon in which canine computer users are musing on the benefits of their anonymity. “But there are still a lot of stupid people when it comes to clicking on links.”