Iran Dupes US Military Contractors, Gov't Agencies in Years-Long Cyber Campaign

A state-sponsored hacking team employed a clever masquerade and elaborate back-end infrastructure as part of a five-year info-stealing campaign that compromised the US State and Treasury Departments, and hundreds of thousands of accounts overall.

White masquerade ball mask adorned with glitter and rhinestons surrounded by party beads, bangles and fabrics
Source: Joe Quinn via Alamy Stock Photo

An elite team of Iranian state-sponsored hackers successfully infiltrated hundreds of thousands of employee accounts at US companies and government agencies, according to the Feds, as part of a multiyear cyber espionage campaign aimed at stealing military secrets.

The US Departments of Treasury and State are among those compromised in the elaborate campaign, which lasted from 2016 to 2021 according to a US Justice Department indictment unsealed this week. Various defense contractors with high-level security clearances, a New York-based accounting firm, and a New York-based hospitality company were also affected, according to the documents.

In all, more than a dozen entities and hundreds of thousands of employee accounts were compromised in the attacks, including more than 200,000 accounts at the hospitality victim.

Iran's State-Sponsored, Elaborate Social Engineering Efforts

Four Iranian nationals — including one alleged member of the government's Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare division — have been indicted for the attacks. The defendants are accused of posing as an Iran-based company that purported to provide "cybersecurity services" in a series of spearphishing overtures to their targets. Their aim was to trick email recipients into clicking on a malicious link that executed an unnamed custom malware and allowed account takeover.

In one case, they managed to allegedly take over an administrator email account at a defense contractor, which they then used to create other unauthorized accounts in order to send spearphishing emails to employees of a different defense contractor and a consulting firm.

In some cases, they also successfully posed as women interested in romantic connections, targeting victims through social media connections. This gambit was also aimed at eventually deploying malware onto victim computers, according to the indictment (PDF).

Both approaches align with Iran's long-standing MO of creating clever social-engineering campaigns to gain targets' confidence. A recent Charming Kitten effort for example involved the creation of an entire phony webinar platform to compromise its targeted victims. In general, Iran-nexus threat actors are "more advanced and more sophisticated by a significant margin" in their social-engineering efforts, according to Steven Adair, co-founder and president of Volexity, speaking after disclosing the Charming Kitten campaign. "It's a level of effort and dedication ... that is definitely different and uncommon."

The Extent of Data Compromise Is Unclear

In the campaign revealed this week, once the accounts were compromised, the hacking team allegedly used a complex back-end infrastructure and a custom application called "Dandelion" to manage the attack. Dandelion provided a dashboard that enumerated the victims, their IP addresses, physical locations, Web browsers, and OS; whether they clicked on the malicious spearphishing links; and whether the accounts should be targeted for further activity.

The Justice Department did not publicize many other details on the effort; nor did it reveal whether the state-sponsored attackers were able to access and steal classified data. Thus, the level of compromise they were able to achieve in the five years they lurked within the high-value networks remains unclear.

Unfortunately, jailtime will likely not be on offer in the event of a conviction in the case: Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) all remain at large. The State Department is offering a reward of up to $10 million for information that could help with their apprehension.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights