If you’re a member of the U.S. military who has received friendly Facebook messages from private sector recruiters for months, suggesting a lucrative future in the aerospace or defense industry, Facebook can have bad news.
On Thursday, the social media giant revealed it had tracked and at least partially disrupted a long-standing Iranian hacking campaign that used Facebook accounts to masquerade as recruiters, jarring US targets with engineering blueprints. social media before sending them malware-infected files or tricking them into submitting sensitive credentials to phishing sites. Facebook says the hackers also claimed to work in the hospitality or medical industry, journalism, or NGOs or airlines, sometimes engaging their targets for months with profiles on several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media catfishing focused on Iran’s neighbors, this latest campaign appears to have largely targeted Americans and, to a lesser extent, victims in Britain and France. European.
Facebook says it removed “less than 200” fake profiles from its platforms as a result of the investigation and notified roughly the same number of Facebook users that hackers targeted them.
“Our investigation found that Facebook was part of a much larger spy operation that targeted people with phishing, social engineering, spoofed websites and malicious domains across multiple social media platforms,” emails and collaboration sites, ”David Agranovich, director of threats at Facebook. disruption, said Thursday in a press call.
Facebook identified the hackers behind the social engineering campaign as the group known as Tortoiseshell, believed to be working on behalf of the Iranian government. The group, which has loose ties and similarities to other Iranian groups better known as APT34 or Helix Kitten and APT35 or Charming Kitten, was first revealed in 2019. At that time , security firm Symantec spotted hackers in Saudi Arabia. Arab IT vendors in an apparent supply chain attack designed to infect company customers with malware called Syskit. Facebook spotted the same malware used in this latest hacking campaign, but with a much broader set of infection techniques and with targets in the United States and other Western countries instead of the Middle East.
Tortoiseshell also appears to have opted for social engineering over a supply chain attack from the start, starting its social media catfishing as early as 2018, according to security firm Mandiant. This includes much more than Facebook, says John Hultquist, Mandiant’s vice president of threat intelligence. “From some of the very early operations, they’ve been compensating for really simplistic technical approaches with really complex social media schemes, which is an area where Iran is really good at,” Hultquist said.
In 2019, Cisco’s Talos security division spotted Tortoiseshell running a fake veteran site called Hire Military Heroes, designed to trick victims into installing a desktop app on their PC that contained malware. Craig Williams, director of the Talos intelligence group, says this bogus site and the larger campaign Facebook has identified both show how military personnel trying to find private sector jobs are ideal targets for spies . “The problem we have is that the veterans making the transition to the commercial world are a huge industry,” says Williams. “Bad guys can find people who will make mistakes, who will click on things they shouldn’t, who are drawn to certain propositions.”
Facebook warns the group also spoofed a US Department of Labor site; the company provided a list of the group’s fake domains that mimicked news media sites, versions of YouTube and LiveLeak, as well as many variations of URLs related to the Trump family and the Trump organization.
Facebook says it linked the group’s malware samples to a specific Tehran-based IT contractor called Mahak Rayan Afraz, which previously supplied malware to the Iranian Revolutionary Guard Corps, or IRGC, the first tenuous link between the tortoiseshell group and a government. Symantec noted in 2019 that the group had also used certain software tools also spotted by Iranian hacking group APT34, which has used social media decoys on sites like Facebook and LinkedIn for years. Mandiant’s Hultquist says he shares roughly some characteristics with the Iranian group known as APT35, which is said to work in the service of the IRGC. APT35’s story includes the use of an American defector, military intelligence defense contractor Monica Witt, to gain insight into her former colleagues that could be used to target them with social engineering campaigns and phishing.
The threat of Iran-based hacking operations – and in particular, the threat of disruptive cyberattacks from the country – may have appeared to abate as the Biden administration backtracked from the approach. conflicting conflict of the Trump administration. The 2020 assassination of Iranian military leader Qassem Soleimani in particular led to an increase in Iranian intrusions which many believed were a precursor to retaliatory cyberattacks that never materialized. President Biden, on the other hand, said he hoped to revive the Obama-era deal that suspended Iran’s nuclear ambitions and eased tensions with the country – a rapprochement that has been rocked by the news according to which Iranian intelligence agents allegedly plotted to kidnap an Iranian-American journalist. .
But the Facebook campaign shows Iranian espionage will continue to target the United States and its allies, even as broad political relations improve. “The IRGC is clearly spying on the United States,” Mandiant’s Hultquist said. “They are still not up to any good, and they need to be carefully watched.”
This story first appeared on wired.com.