On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms.
The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook.
In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it."
Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report.
The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected.
Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules.
According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor.
In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted.
The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry.
Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future.
Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."