Facebook has interrupted a sophisticated and highly targeted hacking campaign by a group that some experts have linked to the Iranian government, the company said Thursday.
The hacker group known as “Tortoiseshell” used Facebook and other social networks to trick military personnel and defense and aerospace industry employees into downloading custom malware that spied on victims and stole their data, the company said in a blog post.
“This campaign was highly targeted, and the group invested time in these fake personas and understanding their targets,” Mike Dvilyanski, head of cyber espionage investigations for Facebook, told reporters during a media call.
New link to Tehran: Facebook cyber experts determined that some of the hackers’ malware was developed by the Iranian IT company Mahak Rayan Afraz, which has ties to Iran’s Islamic Revolutionary Guard Corps.
“As far as I know, this is the first public attribution of the group’s malware to a vendor or front company with ties to [the] IRGC,” Dvilyanski said.
The targets: Tortoiseshell has traditionally targeted Middle Eastern IT companies. But in 2020, Dvilyanski said, it shifted its focus to aerospace and defense firms, mostly in the U.S. but also in Europe and Britain. With this hacking campaign, Tortoiseshell targeted fewer than 200 people.
The tactics: After posing as recruiters or fellow industry professionals, the hackers convinced victims to visit malicious websites that mimicked familiar domains. Some were for defense contractors, while one spoofed the U.S. Labor Department’s job search page. Other sites imitated email platforms to collect victims’ login credentials. In some cases, the hackers talked to their targets for months.
Many of the malicious sites collected information about victims’ computers, which helped the hackers deliver malware customized to individual victims, Facebook said.
The tools: Tortoiseshell is known to develop its own malware, including remote access trojans and keyloggers. In the latest campaign, it sometimes injected malware into Microsoft Excel spreadsheets.
Occasionally, Facebook said, the hackers used previously unseen malware that stored the results of its reconnaissance work in a hidden part of an Excel spreadsheet. Facebook surmised the hackers planned to trick their target into “saving and returning the file.”
The response: After deleting the hackers’ accounts and blocking people from posting their malicious links, Facebook notified suspected victims and shared technical data with industry and law enforcement partners.