Facebook announced last week that it had removed 200 accounts that they discovered were run by a group of hackers based in Iran as a part of a larger cyber-spying operation mainly targeting US military personnel and people working at defense and aerospace companies.
The group is known as “Tortoiseshell” to security experts, and they all used fake online profiles to connect with individuals in the military, build personal connections and drive them to other sites where they would be tricked into clicking links that would infect their systems with spying malware. Some of the conversations between the hackers and personnel would go on for months to really establish that trust.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook’s investigations team said in a blogpost.
“The group made fictitious profiles across multiple social media platforms to appear more credible, often posing as recruiters or employees of aerospace and defense companies”
Facebook’s team claimed that the group used email, messaging, and collaboration services to distribute the malware. A spokesperson for Microsoft, which was also involved in the cyberattack, claimed that they have been made aware of the hacking and would be taking extra measures to prevent something like this from happening in the future.
“The hackers also used tailored domains to attract its targets, including fake recruiting websites for defense companies, and it set up online infrastructure that spoofed a legitimate job search website for the US Department of Labor.”
Facebook claimed the hackers mainly were targeting individuals in the US, and a few others in the UK and Europe in general. The campaign has been running since 2020, and has supposedly impacted around 200 individuals.
“The campaign appeared to show an expansion of the group’s activity, which had previously been reported to concentrate mostly on the IT and other industries in the Middle East. Our investigation found that a portion of the malware used by the group was developed by Mahak Rayan Afraz, an IT company based in Tehran with ties to the Islamic Revolutionary Guard Corps,” Facebook said.
Facebook claimed that it has now blocked the malicious domains that it knows of from being shared, and Google is also taking steps to make sure all domains are blocked.
Eric Mastrota is a Contributing Editor at The National Digest based in New York. A graduate of SUNY New Paltz, he reports on world news, culture, and lifestyle. You can reach him at firstname.lastname@example.org.