A group of Iranian hackers used fake Facebook accounts to target US military personnel, as well as defense and aerospace workers, the social media company said Thursday.
The hacking group, known as Tortoiseshell, used Facebook and other social media platforms to engage with targets before infecting their devices with malware for espionage purposes. According to Facebook, a fake account would “contact its targets, build trust and trick them into clicking on malicious links.”
Facebook said it has removed "fewer than 200” fraudulent accounts linked to the operation, which often claimed to be recruiters or employees of various defense and aerospace companies. Others said they worked in hospitality, medicine, journalism, nongovernmental organizations or the airline industry.
Their tactics included setting up fake recruiting websites and spoofing a US Department of Labor job portal. They also gave their targets links to malicious Microsoft Excel spreadsheets.
Facebook said the hackers invested considerable time in their targets, and in some cases, talked with them for months to gain their trust.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook's head of cyberespionage investigations, Mike Dvilyanski, and its director of threat disruption, David Agranovich, said in a blog post.
Facebook’s investigation found some of the malware was developed by Mahak Rayan Afraz, a Tehran-based company linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). A number of current and former executives at the Iranian technology company are connected to entities sanctioned by the United States, the blog post said.
“As far as I know, this is the first public attribution of the group's malware to a vendor or front company with ties to IRGC,” Dvilyanski said on a call with reporters.
The company said it has taken down the accounts and notified Facebook users who were targeted. The hackers' targets were primarily in the United States, and to a lesser extent the United Kingdom and Europe.
Facebook said it has shared its findings and threat indicators with industry peers. According to Reuters, LinkedIn said it has deleted a number of fictitious accounts, and Twitter said it is “actively investigating.”
The revelation comes after the Department of Justice alleged four Iranian operatives had plotted to kidnap an Iranian American journalist based in Brooklyn. The unsealed indictment Tuesday did not identify the victim, but Masih Alinejad confirmed in a Twitter post that she was the target.
“What appalled me most is the brazenness with which the Islamic Republic of Iran tried to orchestrate a kidnapping attempt on the American soil,” she told Al-Monitor in a statement.