{
	"id": "e5869209-b00c-40c8-9ebc-008ddc8f5028",
	"created_at": "2026-04-06T00:10:08.757869Z",
	"updated_at": "2026-04-10T03:35:36.59158Z",
	"deleted_at": null,
	"sha1_hash": "338a27b4bc0d9bb17b2aae2185778ddf1477bb59",
	"title": "Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373657,
	"plain_text": "Iranian Hackers Targeted US Officials in Elaborate Social Media\r\nAttack Operation\r\nBy Mike Lennon\r\nPublished: 2014-05-29 · Archived: 2026-04-05 18:30:13 UTC\r\nIranian threat actors, using more than a dozen fake personas on popular social networking sites, have been\r\nrunning a wide-spanning cyber espionage operation since 2011, according to cyber intelligence firm\r\niSIGHT Partners.\r\nThe recently uncovered activity, which iSIGHT Partners calls NEWSCASTER, was a “brazen, complex multi-year cyber-espionage that used a low-tech approach to avoid traditional security defenses\r\n–exploiting social media\r\nand people who are often the ‘weakest link’ in the security chain.” \r\nUsing the fake personas, including at least two (falsified) legitimate identities from leading news organizations,\r\nand young, attractive women, the attackers were supported by a fictitious news organization called\r\nNewsOnAir.org (Do Not Visit) and were successful in connecting or victimizing over 2,000 individuals.\r\n“These credible personas then connected, linked, followed, and “friended” target victims, giving them access to\r\ninformation on location, activities, and relationships from updates and other common content,” iSIGHT Partners\r\nsaid.\r\nPodcast: Inside the ‘NEWSCASTER’ Cyber Espionage Campaign\r\nhttps://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation\r\nPage 1 of 5\n\nThe attackers used popular social media platforms such as Facebook, Twitter, LinkedIn, Google+, YouTube and\r\nBlogger as their attack platform.\r\nAdvertisement. Scroll to continue reading.\r\nWhile the attack method is not novel, the cyber intelligence firm says that what this group lacks in technical\r\nsophistication they make up for in brashness, creativity, and patience.\r\nWorking undetected since 2011, iSIGHT Partners said targets included senior U.S. military and diplomatic\r\npersonnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the\r\nU.S. and Israel.\r\nOther victims targeted were in the U.K., Saudi Arabia, Iraq and also included vocal supporters of Israel.\r\n“Though it is possible anyone connected to the network was compromised, deliberate attempts to connect with\r\ncertain entities suggest an interest in political, military, diplomatic and technical intelligence,” the closely held\r\nreport said.\r\n“Largely this campaign was about credential harvesting and recon,” Stephen Ward, Senior Director of Marketing \r\nat iSIGHT Partners, told SecurityWeek.\r\n“They are using those connections to harvest connections to corporate email, harvest connections to personal\r\nemail, and use those springboards for further lateral [movement], “ he said.\r\nAfter making connections on social networks, targets were sent spear-phishing messages, often with links asking\r\nrecipients to log-in to fake pages in order to capture credentials.\r\nBelow is a list of some of the accounts/fake personas allegedly used by the attackers.\r\nhttps://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation\r\nPage 2 of 5\n\nThe campaign also leveraged malware, and while the malware used was not particularly sophisticated, it does\r\nincludes the capability to exfiltrate data.\r\n“They are sort of disadvantaged from a technological advancement side of things,” Ward said, referring to\r\nassumed Irianian attackers. “They have taken to the cyber world the same way you can compare the impact of\r\n[improvised explosive devices]. The approach is low cost and does not really use a lot of sophistication from an\r\nexploit perspective, but is very effective and ultimately a bit more under the radar.”\r\n“Adversaries such as these are increasingly adept at finding and exploiting opportunities to carry out cyber\r\nespionage, even when lacking sophisticated capability,” iSIGHT Partners concluded. “NEWSCASTER’s success\r\nis largely due to its patience, brazen nature, and innovative use of multiple social media platforms.”\r\nOrganizations involved in critical infrastructure, or who have information that may be of strategic or tactical\r\ninterest to a nation-state adversary should be concerned about a threat such as this, iSIGHT Partners warned.\r\nWe are protective of sources and methods, but we can confirm that these actors did not go unnoticed by some\r\ntargeted entities and they left significant evidence of their activity throughout the Internet. \r\nAttribution to Iran\r\n According to iSIGHT Partners, there is no direct information showing that the Iranian government is the ultimate\r\nsponsor of the campaign, but iSIGH researchers do believe the threat actors are located in Iran.\r\nhttps://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation\r\nPage 3 of 5\n\n“[The attackers] maintained a regular schedule, including what appears to be a lengthy lunch break followed by\r\nthe remainder of the work day,” the report said. “These hours conform to work hours in Tehran. Furthermore, the\r\noperators work half the day on Thursday and rarely work on Friday, the Iranian weekend.”\r\nAdditional clues, such as the targets the attackers selected, along with additional technical indicators, sparked\r\niSIGHT to believe NEWSCASTER stems from Iran.\r\niSIGHT Partners said it did coordinate with the FBI to brief government agencies and also notified Facebook,\r\nLinkedIn and other social networks.\r\nAccording to Ward, the identified malicious personas have been removed from Facebook and LinkedIn.\r\nThe report from iSIGHT Partners comes roughly two weeks after a report from FireEye, which suggested that\r\nIranian attackers’ methodologies have “grown more consistent with other advanced persistent threat (APT) actors\r\nin and around Iran” following cyber attacks against Iran in the late 2000s.\r\n“Iran has steadily increased their focus on cyber espionage over the years, placing significant emphasis on\r\nenhancing capabilities following the Stuxnet attacks,” Michael Sutton, VP of Security Research for Zscaler, told\r\nSecurityWeek. “The NEWSCASTER attacks, while not technically sophisticated were allegedly quite successful.\r\nOften social engineering can be the most powerful tool in an attacker’s arsenal.”\r\nSocial networks are a significant challenge for security teams, Sutton says.\r\n“They generally represent a personal communication medium which the organization does not have direct control\r\nover and yet can become a source of leaked data or a catalyst for attack as has been seen in the NEWSCASTER\r\nattacks. Moreover, due to password reuse, even if an attacker can gain access to credentials used by a victim on\r\npersonal accounts, there is a string likelihood that the same credentials have also been used for more sensitive\r\ncorporate accounts.”\r\n“The campaign reported by iSightPartners uncovers what we have known for the last decade — that sophisticated\r\nhackers backed by nation states target the weakest link on networks — the user with relatively unsophisticated\r\ntechniques including spear phishing and social media,” Anup Ghosh, founder and CEO of Invincea, told\r\nSecurityWeek.\r\n“Using social media is both a way of establishing false bona fides while presenting a well accepted vector for\r\nreaching targets,” Ghosh continued. “A simple LinkedIn or Twitter update with a link, or a timely email from a\r\nconnection with embedded link or attachment is enough to compromise the intended target’s machine, accounts,\r\ndata, and enterprise network.”\r\n“This is not surprising as every major foreign adversary is leveraging social media as a cyber attack vector,” added\r\nJames C. Foster, CEO  of ZeroFOX. “Our government realizes this threat is increasing and social media is being\r\nused for target reconnaissance and exploitation.”\r\nListen to the Podcast: Inside the ‘NEWSCASTER’ Cyber Espionage Campaign\r\nRelated Reading: Social Media a Key Element for Terror Groups\r\nhttps://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation\r\nPage 4 of 5\n\nRelated Reading: News Junkies Make Great Targets\r\nSource: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation\r\nhttps://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation"
	],
	"report_names": [
		"iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation"
	],
	"threat_actors": [
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775792136,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/338a27b4bc0d9bb17b2aae2185778ddf1477bb59.pdf",
		"text": "https://archive.orkl.eu/338a27b4bc0d9bb17b2aae2185778ddf1477bb59.txt",
		"img": "https://archive.orkl.eu/338a27b4bc0d9bb17b2aae2185778ddf1477bb59.jpg"
	}
}