Facebook on Thursday disclosed it dismantled a “sophisticated” online cyber espionage campaign conducted by Iranian hackers targeting about 200 military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using fake online personas on its platform.
The social media giant pinned the attacks to a threat actor known as Tortoiseshell (aka Imperial Kitten) based on the fact that the adversary used similar techniques in past campaigns attributed to the threat group, which was previously known to focus on the information technology industry in Saudi Arabia, suggesting an apparent expansion of malicious activity.
“This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage,” said Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption, at Facebook. “This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it.”
According to the company, the attacks were part of a much larger cross-platform campaign, with the bad actors leveraging Facebook as a social engineering vector to redirect the victims to rogue domains via malicious links.
To that end, Tortoiseshell is said to have deployed sophisticated fictitious personas to contact its targets, and sometimes engaging with them for months to build trust, by masquerading as recruiters and employees of defense and aerospace companies, while a few others claimed to work in hospitality, medicine, journalism, NGOs and airlines industries.
The fraudulent domains, including fake versions of a U.S. Department of Labor job search site and recruiting websites, were designed to target persons of likely interest within the aerospace and defense industries with the ultimate goal of perpetrating credential theft and siphoning data from email accounts belonging to the targets.
Besides taking advantage of different collaboration and messaging platforms to move conversations off-platform and deliver target-tailored malware to their victims, the threat actor also profiled their systems to vacuum information about the networks the devices were connected to and the software installed on them to deploy full-featured remote access trojans (RATs), device and network reconnaissance tools, and keystroke loggers.
Furthermore, Facebook’s analysis of Tortoiseshell’s malware infrastructure found that a portion of their toolset was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).
“To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor,” Dvilyanski and Agranovich said. Around 200 accounts run by the hacking group were removed, Facebook added.