Facebook said on Thursday it had taken down about 200 accounts run by a group of hackers in Iran as part of a cyber-spying operation that targeted mostly U.S. military personnel and people working at defense and aerospace companies.
The social media giant said the group, dubbed ‘Tortoiseshell’ by security experts, used a social engineering campaign to trick their targets into clicking malicious links that would infect their devices with spying malware.
In order to do so, the hackers made ‘sophisticated fake online personas’ to contact the targets, according to a press release from the social media giant.
According to Forbes, the hackers believed to be operating our of Tehran ‘posed as recruiters, employees of defense contractors and young, attractive women on Facebook.’
Facebook confirmed to DailyMail.com that the hackers had posed as young, attractive women – among other personas.
‘These fictitious personas had profiles across multiple social media platforms to make them appear more credible,’ the press release from Facebook reads.
‘These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines.’
Facebook said on Thursday it had taken down about 200 accounts run by a group of hackers in Iran as part of a cyber-spying operation
According to Forbes, the hackers believed to be operating our of Tehran ‘posed as recruiters, employees of defense contractors and young, attractive women on Facebook’
Facebook’s investigations team said in the press release that ‘this activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it.’
DailyMail.com has reached out to Facebook for more information and additional comment about the hackers.
Microsoft-owned LinkedIn said it had removed a number of accounts and Twitter said it was ‘actively investigating’ the information in Facebook’s report.
Facebook said the group used email, messaging and collaboration services to distribute the malware, including through malicious Microsoft Excel spreadsheets.
A Microsoft spokesperson said in a statement to Reuters that it was aware of and tracking this actor and that it takes action when it detects malicious activity.
Alphabet Inc’s Google said it had detected and blocked phishing on Gmail and issued warnings to its users. Workplace messaging app Slack Technologies Inc said it had acted to take down the hackers who used the site for social engineering and shut down all Workspaces that violated its rules.
The hackers also used tailored domains to attract its targets, Facebook said, including fake recruiting websites for defense companies.
The hackers also set up online infrastructure that spoofed a legitimate job search website for the U.S. Department of Labor.
Facebook said the hackers mostly targeted people in the United States, as well as some in the United Kingdom and Europe, in a campaign running since mid-2020.
The social media giant declined to name the companies whose employees were targeted but its head of cyber espionage Mike Dvilyanski said it was notifying the ‘fewer than 200 individuals’ who were targeted.
The campaign appeared to show an expansion of the group’s activity, which had previously been reported to concentrate mostly on the I.T. and other industries in the Middle East, Facebook said.
The investigation found that a portion of the malware used by the group was developed by Mahak Rayan Afraz (MRA), an I.T. company based in Tehran with ties to the Islamic Revolutionary Guard Corps.
Reuters could not immediately locate contact information for Mahak Rayan Afraz and former employees of the firm did not immediately return messages sent via LinkedIn.
Iran’s mission to the United Nations in New York did not immediately respond to a request for comment.
MRA’s alleged connection to Iranian state cyber espionage is not new. Last year cybersecurity company Recorded Future said MRA was one of several contractors suspected of serving the IRGC’s elite Quds Force.
Iranian government spies – like other espionage services – have long been suspected of farming out their mission to a host of domestic contractors.
Facebook said it had blocked the malicious domains from being shared and Google said it had added the domains to its ‘blocklist.’
Some of the domains included spoofs of news websites including Reuters, The Guardian, CNN and the BBC. Other spoofed domains included fake domains for the Trump Organization.
News of the Iranian hackers comes after months of cyber-security threats including ransomware targeting companies within the United States.
The U.S. government on Thursday unveiled an online hub for the victims of ransomware attacks, saying it will make it easier for companies and municipalities to find resources and get assistance if they are targeted by cyber hackers.
The website, www.StopRansomware.gov, is an initiative led by the Justice and Homeland Security departments.
Many of the resources and information that organizations need to deal with ransomware attacks have historically been scattered across multiple websites, which increased the ‘likelihood of missing important information,’ the Justice Department said in a statement.
The new website is ‘the first central hub consolidating ransomware resources from all federal government agencies,’ it said.
The launch of the site comes on the heels of a ransomware attack earlier this year against the Colonial Pipeline Co. that led to widespread shortages at gas stations along the East Coast of the United States.
The Justice Department was later able to help Colonial Pipeline recover some $2.3 million in cryptocurrency ransom it paid to hackers.
About $350 million in ransom was paid to cyber criminals in 2020, a more than 300% increase from the previous year, the department said.
‘The Department of Justice is committed to protecting Americans from the rise in ransomware attacks that we have seen in recent years,’ Attorney General Merrick Garland said.
The government is also offering rewards of up to $10 million for information that can identify or locate malicious cyber actors working at the behest of a foreign government to target critical U.S. infrastructure.
The U.S. State Department said in a statement that ‘certain malicious cyber operations targeting U.S. critical infrastructure may violate the CFAA (Computer Fraud and Abuse Act)’ and that it has ‘set up a Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.’