Facebook said it has disrupted a network of hackers tied to Iran who were attempting to distribute malware via malicious links shared under fake personas. The social network’s cyber espionage investigations team has taken action against the group, disabled their accounts and notified the roughly 200 users who were targeted.
The hackers — believed to be part of the Tortoiseshell group — were targeting military personnel and people who worked in the aerospace and defense industries in the United States, often spending months on social engineering efforts with the goal of directing targets to attacker-controlled domains where their devices could be infected with espionage enabling malware.
On Facebook, roughly 200 accounts associated with the hacking campaign were blocked and taken down.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said in a blog post. “Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and its activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing of the malware itself.”
Facebook said the highly focused campaign marked a departure from Tortoiseshell’s usual attack pattern. The group, estimated to have been active since 2018, is known for focusing primarily on the information technology industry, not aerospace and defense.
Moreover, Facebook said the campaign also used several distinct malware families, and that at least of a portion of their malware was custom developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some current and former MRA executives have links to companies sanctioned by the US government, Facebook said.
“We saw [Tortoiseshell] pivot in 2020 to the new focus on aerospace and defense in the US,” said Mike Dvilyanski, head of cyber espionage investigations for Facebook. “We have no insights as to the level of seniority in companies that the targets had. This relates to our overall investigation in malware analysis but we are confident that part of the malware was developed by the MRA.”