Revealed – FBI Notifications: Malicious Cyber Actors Targeting U.S. Government Networks and Employees

he following bulletins were released in late May by the FBI to private industry partners and discuss attempts by malicious cyber actors to exploit government and private industry networks and employees, including their family members, using targeted campaigns involving false personas on various social media platforms.  The bulletins were originally posted on the website of The Security Awareness Company.

FBI Cyber Division Private Industry Notification 3 pages May 29, 2014 Download
FBI Liaison Alert System #M-000031-PH 3 pages May 29, 2014 Download

(U) Law enforcement has become aware that foreign cyber adversaries are utilizing popular social network sites to assess, target and successfully conduct computer network exploitation activities against:

  • US federal, state and local government and private academic and industry networks
  • Individual employees of US federal, state and local government and private academic and industries
  • Family members and personal and/or professional associates of these employees and private citizens with high visibility
  • It is advised that industry use due diligence to inform and educate their associates on the vulnerabilities associated with the use of social networking sites.

(U) The FBI and NCIS believe a group of cyber actors have been using various social networking sites to conduct spear phishing activities since at least 2011. FBI and NCIS investigation to date has uncovered 56 unique Facebook personas, 16 domains, and a group of IP addresses associated with these actors. These personas typically would attempt to befriend specific types of individuals such as government, military, or cleared defense contractor personnel. After establishing an online friendship the actor would send a malicious link (usually through one of the associated domains) to the victim, either through e-mail or in a chat on the social networking site eventually compromising the target’s computer. While this FLASH specifically deals with Facebook personas, it is believed that many of these personas also maintain a presence on other social networking sites such as LinkedIn, Google +, and Twitter which are just as malicious. This group of cyber actors also has created and maintained multiple malicious Web sites, often spoofing a legitimate Web site and implanting malicious links into the actor’s version of the Web site.

TECHNICAL DETAILS

(U) Based on investigative efforts, the FBI and NCIS believe the following names and Facebook User IDs (FBUID) are associated with fake personas and are involved in spear phishing activities on Facebook and additional social networking sites:

Abby Wilson
FBUID 100001249857290
Abraham Gomez
FBUID 100001545932069
Adia Mitchell
FBUID 100003299460070
Alfred Nilsson
FBUID 100004842848351
Alice Nilsson
FBUID 100004672090339
Alice Taylor
FBUID 100002924701430
Amanda Teyson
FBUID 100004718351670
Barbara White
FBUID 100002477442501
Berna Nani Achando FBUID 100003744333197 Brian Gibson
FBUID 100003911053827
David Williams
FBUID 100001537364844
Delia Carlsen
FBUID 100001476095681
Donnie Eadense
FBUID 103773899813841
Dorotha Baasch
FBUID 100005436935593
Elizabeth Anderson FBUID 100002725315556 Gina McCarron
FBUID 100002199199861
Heida Wagner
FBUID 100001511282747
Jane Baker (Ava T. Foster) FBUID 100007144985923 Jeann Maclkin
FBUID 100003591027097
Jinny Beyer
FBUID 100004052511791
John Molavi
FBUID 100001700742641
Joseph Nilsson
FBUID 100004530097827
Josh Nilsson (Josh Furie) FBUID 100004516801118 Justin Snyder
FBUID 100001450033215
Kendrick Babcock
FBUID 100006297457628
Mahnaz Rahami
FBUID 100001342226413
Mahsa Handyani
FBUID 100001429057324
Marine Johnson
FBUID 100003795818292
Mark Blyth
FBUID 100002866859249
Mary Cole
FBUID 100006363725699
Medhi Betterekoon FBUID 100002348575647 Mehdi Rastegar
FBUID 100001483627448
Mehdi Sharooz
FBUID 100002200349173
Michelle Hagerman FBUID 100002420632572 Mina Kasayi
FBUID 100001881978783
Nancy William
FBUID 100001739552330
Natasha Lovsky
FBUID 100001778948301
Nilofar Shorabi
FBUID 100001924237927
Olivia Johnson
FBUID 100002864097606
Painfuol Strick
FBUID 100002396473189
Rad Alborz
FBUID 1431218901
Reza Salimi
FBUID 100004568527560
Rozita Farhang
FBUID 100001317388321
Sandra Maler
FBUID 100006345461158
Sandy Laughlin
FBUID 100001223376364
Sara Afsoon
FBUID 100001667363382
Sara McKibben
FBUID 100007150052891
Sharon Wilson
FBUID 100002474596665
Sheida Zamani
FBUID 100001867145251
Simin Rahnama
FBUID 100001837158118
Susan Thomas
FBUID 100003080928027
Thomas Clausen
FBUID 100001560125984
Tim Caochoo
FBUID 100001777117063
Tina Moradi
FBUID 100002340489471
William Cooper
FBUID 100003792613688
Zainab Osman
FBUID 100002919467608

 

Domain IP address
4techspot.com 173.193.136.193
Accounts.google.com-login.mobi 184.82.8.14
199.26.84.169
Com-login.mobi 199.26.84.169
198.20.182.55
Download.updatexplore.com 46.4.213.50
192.69.208.213
Downloadcenter.mcafeea.com 184.82.167.203
Eyeleo.com-login.mobi 199.26.84.169
Flycenter.ir 74.116.84.123
Fun4us.us 174.37.172.68
199.26.84.143
199.26.84.175
209.236.114.84
192.69.204.57
46.4.149.236
Internetexplorers.org 184.82.202.248
199.26.84.169
209.99.40.221
213.152.173.147
Login.yahoo.com-login.mobi 198.20.182.53
199.26.84.169
mcafeea.com 94.102.55.169
184.82.202.248
mediaplayercodec.net 64.130.216.21
174.37.172.68
209.99.40.219
192.69.208.213
Newsonair.org 199.26.84.143
Update.mcafeea.com 46.4.149.236
46.4.190.235
91.109.17.16
91.109.17.48
192.69.204.57
213.152.173.147
Updatexplore.com 70.168.71.240
Youtube.com-login.mobi 94.23.116.228
199.26.84.169

(U) The following IP addresses have also been identified as associated with these actors:

141.255.161.171
198.20.182.55