Facebook said on Thursday it disrupted an online cyber espionage campaign conducted by a group of Iranian hackers that targeted U.S. military personnel and companies in defense and aerospace industries.
(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
The social media giant noted that targeting group Tortoiseshell has a history of attacking information technology industry in the Middle East.
In a blog post, the company explained that its platform was one of the elements of the much broader cross-platform cyber espionage operation.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said.
Tortoiseshell deployed fake profile to connect with targets, build trust and trick them into clicking on malicious links. To make profiles appear credible, hackers created accounts across multiple social media platforms.
While most fictitious accounts posed as recruiters and employees of defense and aerospace companies, others claimed to work in hospitality, medicine, journalism, NGOs and airline. They also set up online infrastructure that mimicked US Department of Labour job search site. Besides, they spoofed domains of major email providers and copied URL-shortening services.
“These domains appeared to have been used for stealing login credentials to the victims’ online accounts (e.g. corporate and personal email, collaboration tools, social media),” Facebook said.
Facebook also found that the group engaged with their targets for months and leveraged the social media platform to move conversation off-platform and send malware to their targets.
Facebook’s analysis found that a portion of the malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). IRGC is the branch of Iranian military responsible for the country’s cyber operations.
