Skip to content
In your Facebook

Iranian military spear-phish of State Department employees detected first by Facebook

Cyber-espionage effort may be tied to the arrest of Iranian-American in Tehran.

Sean Gallagher | 29
The Facebook and e-mail accounts of US State Department officials focused on Iran were hacked and possibly used to gather data about US-Iranian dual citizens in Iran.
The Facebook and e-mail accounts of US State Department officials focused on Iran were hacked and possibly used to gather data about US-Iranian dual citizens in Iran.
Story text

More details have emerged about the hacking of the computers of US State Department and other government employees, first revealed earlier this month in a Wall Street Journal report. The intrusions by hackers purported to be associated with the Iranian Revolutionary Guard may be tied to the arrest of an Iranian-American businessman in Tehran in October and other arrests of dual citizens in Iran. The attackers used compromised social media accounts of junior State Department staff as part of a “phishing” operation that compromised the computers of employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.

The first warning of the attacks came from Facebook, which alerted some of the affected users that their accounts had been compromised by a state-sponsored attack, The New York Times reports. The Iranian Revolutionary Guard hackers used the access to identify the victims’ contacts and build “spear-phishing” attacks that gave them access to targeted individuals’ e-mail accounts. The attack “was very carefully designed and showed the degree to which they understood which of our staff was working on Iran issues now that the nuclear deal is done,” an unnamed senior US official told the Times.

This most recent attack, which came after a brief period of little or no Iranian activity against US targets over the summer, according to data from Check Point and iSight Partners, was a change from tactics previously associated with Iranian hackers. Earlier attacks attributed to Iran were focused on taking financial services companies’ websites offline and destroying data—such as in the attack on casino company Las Vegas Sands Corp last year after its majority owner called for a nuclear attack on Iran. These attacks may not have been carried out by the Iranian government but by Iranian or pro-Iranian “hacktivists.” The State Department attack, however, was more subtle and aimed at cyber-espionage rather than simple vengeance—bearing hallmarks of tactics attributed to Chinese state-sponsored hackers.

The State Department’s e-mail systems have been the target of repeated attacks, including a penetration attributed to Chinese hackers that lasted months and exposed much of the contents of the department’s unclassified e-mails to attackers. The spear-phishing attacks came after the US government launched an extensive educational campaign about phishing attacks in the wake of the Office of Personnel Management hack’s exposure of personal details about millions of current and former federal employees.

Photo of Sean Gallagher
Sean Gallagher IT Editor Emeritus
Sean was previously Ars Technica's IT and National Security Editor. After over 20 years in technology journalism, including over 9 at Ars, he pivoted to cybersecurity threat research, first at Sophos and now as a security research engineer at Cisco ‘s Talos Intelligence Group. A former Navy officer, he lives and works in Baltimore, Maryland.
29 Comments
Prev story
Next story