Iran Dupes US Military Contractors, Govt Agencies in Years-Long Cyber Campaign

A state-sponsored hacking team employed a clever masquerade and elaborate back-end infrastructure as part of a five-year info-stealing campaign that compromised the US State and Treasury Departments, and hundreds of thousands of accounts overall.

An elite team of Iranian state-sponsored hackers successfully infiltrated hundreds of thousands of employee accounts at US companies and government agencies, according to the Feds, as part of a multiyear cyber espionage campaign aimed at stealing military secrets.
The US Departments of Treasury and State are among those compromised in the elaborate campaign, which lasted from 2016 to 2021 according to a US Justice Department indictment unsealed this week. Various defense contractors with high-level security clearances, a New York-based accounting firm, and a New York-based hospitality company were also affected, according to the documents.
In all, more than a dozen entities and hundreds of thousands of employee accounts were compromised in the attacks, including more than 200,000 accounts at the hospitality victim.
Four Iranian nationals — including one alleged member of the governments
Islamic Revolutionary Guard Corps (IRGC)
Electronic Warfare division — have been indicted for the attacks. The defendants are accused of posing as an Iran-based company that purported to provide cybersecurity services in a series of spearphishing overtures to their targets. Their aim was to trick email recipients into clicking on a malicious link that executed an unnamed custom malware and allowed account takeover.
In one case, they managed to allegedly take over an administrator email account at a defense contractor, which they then used to create other unauthorized accounts in order to send spearphishing emails to employees of a different defense contractor and a consulting firm.
In some cases, they also successfully posed as women interested in romantic connections, targeting victims through social media connections. This gambit was also aimed at eventually deploying malware onto victim computers, according to
the indictment
(PDF).
Both approaches align with Irans long-standing MO of
creating clever social-engineering campaigns
to gain targets confidence. A recent Charming Kitten effort for example involved the creation of an entire phony webinar platform to compromise its targeted victims. In general, Iran-nexus threat actors are more advanced and more sophisticated by a significant margin in their social-engineering efforts, according to Steven Adair, co-founder and president of Volexity, speaking after disclosing the Charming Kitten campaign. Its a level of effort and dedication ... that is definitely different and uncommon.
In the campaign revealed this week, once the accounts were compromised, the hacking team allegedly used a complex back-end infrastructure and a custom application called Dandelion to manage the attack. Dandelion provided a dashboard that enumerated the victims, their IP addresses, physical locations, Web browsers, and OS; whether they clicked on the malicious spearphishing links; and whether the accounts should be targeted for further activity.
The Justice Department did not publicize many other details on the effort; nor did it reveal whether the state-sponsored attackers were able to access and steal classified data. Thus, the level of compromise they were able to achieve in the five years they lurked within the high-value networks remains unclear.
Unfortunately, jailtime will likely not be on offer in the event of a conviction in the case: Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) all remain at large. The State Department is offering a reward of up to $10 million for information that could help with their apprehension.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Iran Dupes US Military Contractors, Govt Agencies in Years-Long Cyber Campaign