{ "id": "9d33e40f-663e-455a-838e-c22fd26c7cbc", "created_at": "2026-04-06T00:16:37.49597Z", "updated_at": "2026-04-10T13:11:57.735284Z", "deleted_at": null, "sha1_hash": "e0878c502c705f6b02be179bf72fd41053009218", "title": "Operation Newscaster", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 123206, "plain_text": "Operation Newscaster\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-03-29 · Archived: 2026-04-02 12:36:35 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nLogo designed by iSIGHT Partners\r\n\"Operation Newscaster\", as labelled by American firm iSIGHT Partners in 2014, is a cyber espionage covert\r\noperation directed at military and political figures using social networking, allegedly done by Iran. The operation\r\nhas been described as \"creative\",[1] \"long-term\" and \"unprecedented\".[2] According to iSIGHT Partners, it is \"the\r\nmost elaborate cyber espionage campaign using social engineering that has been uncovered to date from any\r\nnation\".[2]\r\nISight's perceptions\r\n[edit]\r\nA screenshot from NewsOnAir.org\r\nOn 29 May 2014, Texas-based cyber espionage research firm iSIGHT Partners released a report, uncovering an\r\noperation it labels \"Newscaster\" since at-least 2011, has targeted at least 2,000 people in United States, Israel,\r\nBritain, Saudi Arabia, Syria, Iraq and Afghanistan.\r\n[2][3]\r\nhttps://en.wikipedia.org/wiki/Operation_Newscaster\r\nPage 1 of 3\n\nThe victims who are not identified in the document due to security reasons, are senior U.S. military and\r\ndiplomatic personnel, congresspeople, journalists, lobbyists, think tankers and defense contractors, including a\r\nfour-star admiral.\r\n[2][3]\r\nThe firm couldn’t determine what data the hackers may have stolen.[3]\r\nAccording to the iSIGHT Partners report, hackers used 14 \"elaborated fake\" personas claiming to work in\r\njournalism, government, and defense contracting and were active in Facebook, Twitter, LinkedIn, Google+,\r\nYouTube and Blogger. To establish trust and credibility, the users fabricated a fictitious journalism website,\r\nNewsOnAir.org, using content from the media like Associated Press, BBC, Reuters and populated their profiles\r\nwith fictitious personal content. They then tried to befriend target victims and sent them \"friendly messages\"[1]\r\nwith Spear-phishing to steal email passwords[4] and attacks and infecting them to a \"not particularly sophisticated\"\r\nmalware for data exfiltration.[2][3]\r\nThe report says NewsOnAir.org was registered in Tehran and likely hosted by an Iranian provider. The Persian\r\nword \"Parastoo\" (پرستو ;meaning swallow) was used as a password for malware associated with the group, which\r\nappeared to work during business hours in Tehran[2] as they took Thursday and Friday off.[1] iSIGHT Partners\r\ncould not confirm whether the hackers had ties to the Iranian government.\r\n[4]\r\nAccording to Al Jazeera, Chinese army's cyber unit carried out scores of similar phishing schemes.[4]\r\nMorgan Marquis-Boire, a researcher at the University of Toronto stated that the campaign \"appeared to be the\r\nwork of the same actors performing malware attacks on Iranian dissidents and journalists for at least two years\".[4]\r\nFranz-Stefan Gady, a senior fellow at the EastWest Institute and a founding member of the Worldwide\r\nCybersecurity Initiative, stated that “They’re not doing this for a quick buck, to extrapolate data and extort an\r\norganization. They’re in it for the long haul. Sophisticated human engineering has been the preferred method of\r\nstate actors”.[4]\r\nFacebook spokesman said the company discovered the hacking group while investigating suspicious friend\r\nrequests and removed all of the fake profiles.[2]\r\nLinkedIn spokesman said they are investigating the report, though none of the 14 fake profiles uncovered\r\nwere currently active.[2]\r\nTwitter declined to comment.[2]\r\nFederal Bureau of Investigation told Al Jazeera \"it was aware of the report but that it had no comment\".[4]\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Nakashima, Ellen (May 29, 2014). \"Iranian hackers are targeting U.S. officials through\r\nsocial networks, report says\". The Washington Post. Retrieved March 30, 2015.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n Finkle, Jim (May 29, 2014). Tiffany Wu (ed.). \"Iranian hackers use fake\r\nFacebook accounts to spy on U.S., others\". Reuters. Retrieved March 30, 2015.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Chumley, Cheryl K. (May 29, 2014). \"Iranian hackers sucker punch U.S. defense\r\nofficials with creative social-media scam\". The Washington Times. Retrieved March 30, 2015.\r\nhttps://en.wikipedia.org/wiki/Operation_Newscaster\r\nPage 2 of 3\n\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n Pizzi, Michael (May 29, 2014). \"Iran hackers set up fake news site, personas to\r\nsteal U.S. secrets\". Al Jazeera. Retrieved March 30, 2015.\r\nNEWSCASTER – An Iranian Threat Inside Social Media\r\nSource: https://en.wikipedia.org/wiki/Operation_Newscaster\r\nhttps://en.wikipedia.org/wiki/Operation_Newscaster\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/Operation_Newscaster" ], "report_names": [ "Operation_Newscaster" ], "threat_actors": [ { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434597, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0878c502c705f6b02be179bf72fd41053009218.pdf", "text": "https://archive.orkl.eu/e0878c502c705f6b02be179bf72fd41053009218.txt", "img": "https://archive.orkl.eu/e0878c502c705f6b02be179bf72fd41053009218.jpg" } }