Facebook has revealed that Tortoiseshell hacking group from Iran used its social media network for spying on U.S. military.
Facebook had removed about 200 accounts run by a group of hackers in Iran as part of a cyber-spying operation that targeted mostly U.S. military personnel and people working at defense and aerospace companies.
Tortoiseshell hacking group used fake online personas to connect with targets, build trust sometimes over the course of several months and drive them onto other sites where they were tricked into clicking malicious links that would infect their devices with spying malware.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook’s investigations team said in a blog post.
The group made fictitious profiles across multiple social media platforms to appear more credible, often posing as recruiters or employees of aerospace and defense companies. Microsoft-owned LinkedIn said it removed a number of accounts. Twitter said it was investigating the information in Facebook’s report.
The group used email, messaging and collaboration services to distribute the malware, including through malicious Microsoft Excel spreadsheets. A Microsoft spokesperson said in a statement it was aware of and tracking this actor and that it takes action when it detects malicious activity.
Google said it had detected and blocked phishing on Gmail and issued warnings to its users. Workplace messaging app Slack Technologies said had acted to take down the hackers who used the site for social engineering and shut down all Workspaces that violated its rules.
The hackers also used tailored domains to attract its targets, Facebook said, including fake recruiting websites for defense companies, and it set up online infrastructure that spoofed a legitimate job search website for the U.S. Department of Labor.
Facebook said the hackers mostly targeted people in the United States, as well as some in the United Kingdom and Europe, in a campaign running since mid-2020. It declined to name the companies whose employees were targeted. Facebook’s head of cyber espionage Mike Dvilyanski said it was notifying the fewer than 200 individuals who were targeted.
The investigation found that a portion of the malware used by the group was developed by Mahak Rayan Afraz, an I.T. company based in Tehran with ties to the Islamic Revolutionary Guard Corps.
MRA’s alleged connection to Iranian state cyber espionage is not new. Last year cybersecurity company Recorded Future said MRA was one of several contractors suspected of serving the IRGC’s elite Quds Force.