Tricky

05.29.14

Iran Is Using a Neocon to Hack Its Foes

John Bolton, the former U.N. ambassador under George W. Bush, is playing an unexpectedly prominent role in an Iranian cyberspying campaign.

In Iran’s intelligence war against America, the regime has a new weapon: “John R. Bolton.”

No, Iran has not turned President Bush’s former ambassador to the United Nations into a sleeper agent. Instead, hackers believed to be connected to the Tehran government are posing as Bolton on social media platforms in a scheme to get human rights activists and national security wonks to hand over their passwords and user names.

The fake Bolton LinkedIn account provides a window into how Iran’s hackers are trying to penetrate the policy networks of their government’s adversaries. Most experts say Iran lacks the sophistication to launch the kinds of advanced cyber attacks it has suffered at the hands of the West, such as the Stuxnet worm that burrowed into the Natanz uranium enrichment facility. But the Linkedin attack and others like it exposed this week by the cybersecurity firm iSight Partners show how aggressive Iran’s cyber spies can be to obtain the kind of personal information that could be used to blackmail and compromise the people Iran’s regime considers its enemies in Washington.

Here’s how it works. “John R. Bolton” sends a request to connect on LinkedIn. If you respond, he begins to strike up a conversation through its private message function. Over a period of weeks, the hacker builds trust and then Bolton asks for your input on a new website he is launching. When you get to the website—which is not yet ready to be seen by the public—you are asked for your email and password. If you proceed, it will only be a few hours until some hacker in Tehran is downloading your electronic correspondence.

This is what happened to Kit Bigelow, one of Washington’s leading advocates for the Baha’i, a religious faith that has been the subject of mistreatment in Iran. “I was surprised to get this invitation from him, but it was not completely out of the blue,” she told The Daily Beast. “Why would he be in touch with me? We had not been in touch for several years, but because we had been in touch on and off I did not think it was outrageous.”

Bolton confirmed that he did indeed know Bigelow and had sought her counsel many years ago. But he also said he has not made a LinkedIn connection for more than a year and never uses the network’s private message function.

The messages from the fake Bolton began with chitchat, and expressed a desire to get together after all these years. Then came the ask, albeit in less than perfect English. “Speaking of the meeting tells me to remind you of the new project I am recently conducting with a team of specialists under my supervision,” the hacker wrote through a private LinkedIn message. “Considering your experience and background in Bahaism and some other related fields, I’d like to offer you an opportunity for cooperation! I have recently established a web site containing a summary of what actually will be done within the purview of our research. I will do my best to show you the web site in the week to come.”

“I am honored to be selected by the Ayatollahs for this distinction. Maybe I should create a fake Iranian LinkedIn account and offer to give away the country’s nuclear weapons secrets. I will try to get to John Kerry first.”

Bigelow said the fake Bolton had taken two months to build up trust before sending her the link to the website he asked her to review. When she finally got around to doing it, the intrusions started soon after. “During that night in the middle of the night, there were two attempts from the United States to break into my professional Gmail account. They had the chutzpah to send me a test email from an outlook.com address. I woke up that morning and Google had sent me a note that said someone from Tehran has tried to break into your account,” she said. She then changed her passwords and ended all contact with the Iranian Bolton and then alerted the office of the real one.

It’s difficult to prove with courtroom certainty, but experts believe the fake Bolton LinkedIn account was part of a sophisticated Iranian scheme to steal the passwords and credentials of government officials, journalists, human rights activists and members of the pro-Israel lobby.

John Hultquist, an analyst with iSight Partners, said the fake Bolton profile matched the methods used by Iranian hackers exposed in his firm’s new research paper on Iran’s cyber-espionage operations through social engineering. That paper exposed an elaborate network of fake social media profiles and even an entire fake news site known as newsonair.com, where Iranians posing as journalists or other kinds of analysts sought to connect through Twitter, Facebook and LinkedIn with their targets.

“We saw connections in neoconservative think tanks as well as the Bahai faith,” Hultquist said of his research. Because the hackers targeted the pro-Israel lobby, Baha’i activists and others who would be considered hawkish on Iran, Hultquist said these matched the intelligence targets for Iran more generally.

In some ways the operation echoes “Shady Rat,” a similar kind of scheme that penetrated the email systems of journalists and human rights activists critical of China’s government.

In his research, Hultquist also saw from the time stamps that most of the activity on these fake profiles was conducted during business hours in Iran. Beyond that, the newsonair.com website was hosted by Iranian servers and the malware used in the final attacks had Persian words written into their codes.

“This is consistent with the modus operandi of the newscaster operatives from Iran,” Hultquist said after reviewing the LinkedIn messages between Bigelow and “John R. Bolton.” Hulquist declined in his research to publicly name any of the victims of the hackers.

The first person to suspect something was fishy with the Bolton LinkedIn profile was one of the former ambassador’s highest-profile rivals, Steve Clemons, who is now an editor at large of the Atlantic. Back in 2005, Clemons led a campaign to sink Bolton’s nomination in the Senate to be the U.S. ambassador to the United Nations. Bolton was granted a recess appointment.

In January, Clemons warned his readers to avoid the LinkedIn request from Bolton after an Atlantic information technology specialist suspected it was part of a phishing scam. It’s not the first time Bolton has been associated with hackers. In December Foreign Policy reported that Bolton’s AOL email account was hacked after he sent out an alarming email asking friends for money after he and his family were robbed at gunpoint in the Philippines. 

For now Bolton is taking the episode in stride. “I am honored to be selected by the Ayatollahs for this distinction,” he told The Daily Beast. “Maybe I should create a fake Iranian LinkedIn account and offer to give away the country’s nuclear weapons secrets. I will try to get to John Kerry first.”