Facebook disrupts Iran-linked hackers who tried to spy on US military personnel

The social media giant has blocked malicious domains and taken down the suspicious accounts

Facebook has disrupted a group of Iranian hackers who tried to use the platform to distribute malware and launch espionage operations targeting mainly US military personnel and defence firms, the company said on Thursday.

The hacking group, called Tortoiseshell, was previously reported to mainly focus on the technology industry in the Middle East. It used various malicious tactics to identify its targets and infect their devices with malware to enable espionage, Facebook said.

The social media giant said its probe found that some of the malware was developed by by a Tehran-based IT company with ties to the Islamic Revolutionary Guard Corps.

“In an apparent expansion of malicious activity to other regions and industries, our investigation found [Tortoiseshell] targeting military personnel and companies in the defence and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe,” Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and David Agranovich, director of threat disruption, said in a joint statement.

“This activity had the hallmarks of a well-resourced and persistent operation … while relying on relatively strong operational security measures to hide who’s behind it,” they added.

Facebook said its platform was only one of the elements of the “much broader cross-platform cyber espionage operation”.

The California-based tech giant identified different tactics deployed by Tortoiseshell, including phishing and credential theft. The hackers created fake online accounts to contact targets, build trust and trick them into clicking on malicious links.

The fake accounts had profiles across multiple social media platforms to make them appear more authentic. These accounts often posed as recruiters and employees working in various industries such as defence, aerospace, hospitality, medicine, journalism, NGOs and aviation.

“Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months,” Mr Dvilyanski and Mr Agranovich said.

The hackers also created fake recruiting websites and spoofed a US Department of Labour job search site.

They created illegitimate domains to steal login credentials to the victims’ online accounts, Facebook said, adding that the hackers used several malware families.

“Our investigation and malware analysis found that a portion of their malware was developed by Mahak Rayan Afraz [MRA], an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps ... some of the current and former MRA executives have links to companies sanctioned by the US government,” Facebook said.

To disrupt their operation, Facebook said it blocked malicious domains from being shared on its platform, taken down the group’s accounts and notified people who the company believed were targeted by the threat group.

In a separate report released in May, Facebook said it detected and halted more than 150 secret influence operations in the past four years that violated its policy against co-ordinated inauthentic behaviour.

Covert influence operations targeted public debates across both established and emerging social media platforms, blogs, major newspapers and magazines. They were orchestrated by governments, commercial entities, politicians and political groups, globally as well as locally, the company said.

Updated: July 15th 2021, 7:35 PM