Iranian spies appear to be engaged in their most elaborate and persistent effort yet to dupe lawmakers, journalists and defense contractors into revealing email addresses, network logins and other information that could be used to collect intelligence.

A three-year espionage campaign, believed to have originated in Iran, has used an elaborate scheme involving a fabricated news agency, fake social media accounts and bogus journalist identities to trick victims in the United States, Israel and elsewhere, according to iSight Partners, the company that uncovered the campaign.

Using fake accounts on Facebook, Twitter, LinkedIn, YouTube and Google+, the attackers have built an elaborate universe of fake personas bolstered by secondary accounts all for the purpose of garnering the trust of their targets, according to a report issued by the company.

“We’ve never seen a cyber espionage campaign from the Iranians as complex, broad reaching and persistent as this one,” says Tiffany Jones, senior vice president of client services at iSight “The dozen or so primary fictitious personas have done a pretty successful job over the last few years in gleaning thousands of connections and ultimately targeting legitimate individuals through their social media networks.”

The spies also created a fake news organization, NewsOnAir.org, owned and operated by a fake media mogul named Joseph Nillson, whom they illustrated using a photo of Alexander McCall Smith, author of The No.1 Ladies’ Detective Agency. The news site is populated with articles ripped off from CNN and the BBC appearing beneath the names of NewsOnAir "reporters." Once those stories are published, Twitter and other social media accounts associated with the fake identities link to them, making the operation appear legitimate.

How the campaign steals legitimate news stories and reposts them on its fake news site to lend it credibility. Illustration: Courtesy of iSight Partners

The attackers have targeted members of the U.S. military, Congress and various think tanks, along with journalists, defense contractors in the United States and Israel and members of U.S. and Israeli lobbying groups. They also targeted victims in Saudi, Arabia, Iraq and the United Kingdom.

Although the enterprise could be a false-flag operation designed to implicate Iran, Jones and Hulquist say several clues point to Iran being responsible. The NewsOnAir domain is registered in Tehran and a malicious IRC bot the attackers use employed certain Persian words, such as parastoo. The stories posted to NewsOnAir tend to focus on Iranian issues. And a timeline of the group’s activity–such as when the attackers posted news stories to their portal or some of the false identities updated their social networks–suggests the attackers follow the typical work week and hours in Iran.

Whoever the attackers are, they show an intense interest in issues pertaining to Iran and to high-ranking people involved in nuclear nonproliferation issues and those associated with embargos and sanctions against Iran. They’re also interested in lobbying organizations focused on U.S.-Israeli alliances.

“Based on the individuals they’re targeting, you can infer what they’re after,” Jones says. “They steal defense credentials and get access to the enterprise or to other accounts, and you can do a lot of damage in terms of stealing intellectual property and, obviously, military blueprints.”

The complex operation is less distinguishable for its techniques–which aren’t especially sophisticated–than for the tenacity the attackers have shown in creating the web of personas and infrastructure supporting the operation. The researchers have counted at least 2,000 connections the attackers have made through LinkedIn and other social media accounts.

In one case, they commandeered the identity of a Reuters journalist, using her real name but a fictitious photo of her. In another case they used the photo of a real Fox News journalist but changed the name. They have also used images of B-list celebrities, the researchers said..

The attackers created elaborate profiles and posted fake blogs to fabricate relationships and infiltrate a target's circle of connections. One fake persona, for example, posted a photo of a dog and claimed the animal died in the owner’s arms. Another posted a message discussing loneliness. The various fake personas spend a lot of time endorsing each other and establishing relationships to make them seem trustworthy.

“We’ve seen them call each other Dad when they post on Facebook,” says John Hultquist, head of cyber espionage intelligence for iSight.

A post published by one of these fake personas in a fake social media account to give the impression that the person really exists. Illustration: Courtesy of iSight Partners

The attackers study the social connections of their targets and cast a wide net, reaching out to former colleagues, school chums and family members to establish connections, which they patiently leverage to get ever closer to their targets. The targets are then lured into visiting malicious sites–masquerading as a legitimate email account or company portal–where the attackers grab the credentials needed to access email accounts or gain a foothold within a network.

Although iSight can't say how often or to what extent the attackers have succeeded at infiltrating networks, the fact the campaign has continued for three years and the attackers have invested so much time and effort in the operation indicates they've gleaned some useful information.

“Because the operation has gone on since 2011, we think at the very least it indicates a strong degree of success based on their connections and continued ability to grow this extensive network,” Jones says.

Homepage image: Getty