Iranian military spear-phish of State Department employees detected first by Facebook
More details have emerged about the hacking of the computers of US State Department and other government employees, first revealed earlier this month in a Wall Street Journal report. The intrusions by hackers purported to be associated with the Iranian Revolutionary Guard may be tied to the arrest of an Iranian-American businessman in Tehran in October and other arrests of dual citizens in Iran. The attackers used compromised social media accounts of junior State Department staff as part of a “phishing” operation that compromised the computers of employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.
The first warning of the attacks came from Facebook, which alerted some of the affected users that their accounts had been compromised by a state-sponsored attack, The New York Times reports. The Iranian Revolutionary Guard hackers used the access to identify the victims’ contacts and build “spear-phishing” attacks that gave them access to targeted individuals’ e-mail accounts. The attack “was very carefully designed and showed the degree to which they understood which of our staff was working on Iran issues now that the nuclear deal is done,” an unnamed senior US official told the Times.
This most recent attack, which came after a brief period of little or no Iranian activity against US targets over the summer, according to data from Check Point and iSight Partners, was a change from tactics previously associated with Iranian hackers. Earlier attacks attributed to Iran were focused on taking financial services companies’ websites offline and destroying data—such as in the attack on casino company Las Vegas Sands Corp last year after its majority owner called for a nuclear attack on Iran. These attacks may not have been carried out by the Iranian government but by Iranian or pro-Iranian “hacktivists.” The State Department attack, however, was more subtle and aimed at cyber-espionage rather than simple vengeance—bearing hallmarks of tactics attributed to Chinese state-sponsored hackers.