An elite team of Iranian state-sponsored hackers successfully infiltrated hundreds of thousands of employee accounts at U.S. companies and government agencies as part of a multi-year cyber espionage campaign aimed at stealing military secrets, according to the Fed.
The U.S. Departments of State and Treasury were among those compromised in the elaborate campaign, which lasted from 2016 to 2021, according to a U.S. Department of Justice indictment made public this week. Various defense contractors with high-level security clearances, a New York-based accounting firm and a New York-based hospitality company were also hit, according to the documents.
Overall, more than a dozen entities and hundreds of thousands of employee accounts were compromised in the attacks, including more than 200,000 accounts at the victim’s hospitality industry.
Four Iranian citizens, including an alleged member of the government Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare Division: Indicted for the attacks. The defendants are accused of impersonating an Iran-based company that purported to provide “cybersecurity services” in a series of spearphishing attacks on their targets. Their aim was to trick email recipients into clicking a malicious link that ran unnamed custom malware and allowed account takeover.
In one case they managed to take over the email account of the administrator of a defense contractor, which they then used to create other unauthorized accounts to send spearphishing emails to employees of another defense contractor and to a company of consultancy.
In some cases, they have also successfully posed as women interested in romantic connections, targeting victims through social media connections. This move was also reportedly aimed at distributing malware onto victims’ computers the accusation (PDF).
Both approaches are in line with Iran’s long-standing modus operandi create intelligent social engineering campaigns to gain the trust of targets. A recent attempt by Charming Kitten, for example, involved creating an entire fake webinar platform to compromise its targeted victims. Overall, threat actors related to the Iran nexus are “more advanced and more sophisticated by a significant margin” in their social engineering efforts, according to Steven Adair, co-founder and president of Volexity, speaking after disclosing the Charming Kitten campaign . “It’s a level of commitment and dedication… definitely different and unusual.”
The extent of the data compromise is unclear
In the campaign revealed this week, once the accounts were compromised, the hacking team allegedly used a complex back-end infrastructure and a custom application called “Dandelion” to manage the attack. Dandelion provided a dashboard that listed victims, their IP addresses, physical locations, web browsers, and operating systems; whether they clicked on malicious spearphishing links; and whether the accounts should be allocated to further activities.
The Justice Department has not made many other details about the initiative public; nor did it reveal whether state-sponsored attackers were able to access and steal sensitive data. Therefore, the level of compromise they were able to reach in the five years they remained hidden within the high-value networks remains unclear.
Unfortunately, prison time will likely not be awarded if convicted in the case: Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani and Alireza Shafie Nasab Ancestry all remain at large. The State Department is offering a reward of up to $10 million for information that could aid in their capture.