Facebook said on Thursday it had blocked a “sophisticated” online cyber espionage campaign conducted by hackers in Iran attempting to surveil about 200 western military, defence and aerospace personnel via its platform.
According to Facebook, a known group of Iranian hackers known as Tortoiseshell created fake online personas such as defence employees and recruiters on its platform to trick victims into inadvertently clicking on malicious links or files that would allow surveillance of their devices.
The campaign, running since 2020, targeted about 200 individuals in the military, defence and aerospace industries “primarily in the US, and to a lesser extent in the UK and Europe”, the platform said.
While Facebook has uncovered a handful of cyber espionage campaigns using its platform, such as one carried out by Chinese hackers to target pro-Uyghur activists and dissidents, the latest campaign marked the first targeting predominantly US citizens.
Facebook attributed the attacks to the Iran-based group Tortoiseshell with a “high level of confidence”. Tortoiseshell is believed to have largely targeted sectors such as IT in the Middle East since about 2018.
While Facebook did not suggest that the campaign was state-backed, it said it had found that a part of the malware deployed by the hackers was developed by Mahak Rayan Afraz, an IT company in Tehran “with ties to the Islamic Revolutionary Guard Corps”.
As well as using Facebook, Tortoiseshell created fake websites, including false versions of a US Department of Labor job search site and recruiting websites for particular defence companies. These allowed the hackers to steal their victims’ email and social media login details, and gather information about their device usage.
In other cases, the hackers hid malware in Microsoft Excel spreadsheets, allowing them access to victims’ systems.
“Just the level of investment into the reconnaissance and social engineering phases has all the hallmarks of well-resourced and persistent behaviour that we’ve come to expect from more sophisticated advanced persistent threat actors that we track,” Mike Dvilyanski, Facebook’s head of cyber espionage investigations, told the Financial Times.
Iran — alongside Russia, China and North Korea — is one of the most potent cyber aggressors and has recently been targeting researchers, academics and diplomats with insights into policy. Earlier this week, state-backed Iranian hackers were found to be impersonating academics at London university’s School of Oriental and African Studies as part of an espionage campaign targeting Middle East experts, for example.
Facebook said it had disrupted the group by taking down “fewer than 200” of its accounts, blocking the malicious domains from being shared on its platform and notifying victims.
Many of the fake personas were cultivated across social media platforms, it added. LinkedIn said it had “restricted the accounts responsible” for the activity on its platform and was monitoring the situation, while Twitter said the platform was “actively investigating” the matter.
Microsoft said it was “aware and tracking this threat actor”. Google said it had added the malicious domains used by the hackers to its “blocklist”.