Facebook took down about 200 accounts on Thursday, run by a group of hackers in Iran involved in cyber spying operations that mostly targeted the US military workers and personnel in the defense and aerospace sector.
The hacking group is called “Tortoiseshell”, and used Facebook and various other social media platforms to contact targets and to build trust with them over time before infecting their devices with malware. They also tricked them into visiting other sites that contained malicious links to infect their devices with spyware.
Their strategies included creating bogus recruiting websites and impersonating the US Department of Labor’s job portal. They also sent links to malicious Microsoft Excel files to their targets. A Microsoft spokesman stated in a statement that the company is aware of and following this actor and that it takes action when harmful behavior is detected.
Facebook’s investigation team Mike Dvilyanski and David Agranovich said in a blog post,”This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who’s behind it”.
“As far as I know, this is the first public attribution of the group’s malware to a vendor or front company with ties to IRGC,” said Dvilyanski on a call with reporters.
Google, a subsidiary of Alphabet, said it had discovered and stopped phishing on Gmail and had given warnings to users. Slack, a workplace chat service, claimed it had taken action to remove the hackers who were using the site for social engineering and had shut down any Workspaces that broke its rules.
According to Facebook, the hackers also utilized customized domains to lure their targets, such as phony recruiting websites for military firms, and they put up an online infrastructure that spoofs a real job search website for the US Department of Labor.
In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as those in the United Kingdom and Europe. It declined to name the firms whose employees were targeted, but its director of cyber espionage Mike Dvilyanski said the “fewer than 200 individuals” who were targeted were being notified.
According to Facebook, the effort looked to demonstrate an extension of the group’s operations, which had previously been claimed to focus mostly on the I.T. and other businesses in the Middle East. According to the inquiry, a piece of the malware utilized by the organization was created by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps.
The claimed link between MRA and Iranian governmental cyber espionage is not new. MRA was named as one of many contractors accused of aiding the IRGC’s elite Quds Force by a cybersecurity firm Recorded Future last year.
Iranian government spies, like other espionage services, have long been accused of contracting out their missions to a slew of local firms.
Facebook stated that the malicious sites had been prohibited from being shared, while Google stated that the domains had been put to its “blocklist.”