Despite their disparate origins, many of the intrusion groups we track every day at iSIGHT Partners use similar methods. They rely heavily on spear-phishing emails and web exploitation, for instance, differentiating themselves primarily by their technical prowess. The most sophisticated actors have created an arms race for zero-day vulnerabilities and sophisticated malware, limiting others to known vulnerabilities and commodity alternatives.
iSIGHT has recently uncovered activity, which we call NEWSCASTER, that has quietly carried out cyber espionage since 2011, while eschewing methods preferred by many of its peers. NEWSCASTER is distinctive for its reliance on social networks, and the intricate network of false personas that exists on several of these platforms. Most notably, several of these personas are legitimized by a front news organization called NewsOnAir.org.
NEWSCASTER personas purport to be journalists, members of the military, and defense contractors to target senior civilian government officials, high ranking members of the military, think tanks, the US and Israeli defense industrial base, and supporters of the state of Israel. Using a relatively simple credential harvesting technique, NEWSCASTER can gain access to the email systems of these potential intelligence sources. Based on the evidence we’ve gathered, we believe the group has Iranian origins though we cannot attribute it to a specific sponsor.
The threat from NEWSCASTER is essentially asymmetric. In many ways, these operators have escaped the malware arms race in lieu of an alternative approach. NEWSCASTER focuses on human factors and third-party platforms, weak spots for many of the most sophisticated enterprise defenses. We believe the best response to an adversary such as this is one informed by cyber threat intelligence.