Skip to main content

Facebook says Iranian hackers spied on US military personnel using fake accounts

The social media company said the hackers baited targets into clicking on malicious links that would infect their devices with malware.
Facebook logos

A group of Iranian hackers used fake Facebook accounts to target US military personnel, as well as defense and aerospace workers, the social media company said Thursday. 

The hacking group, known as Tortoiseshell, used Facebook and other social media platforms to engage with targets before infecting their devices with malware for espionage purposes. According to Facebook, a fake account would “contact its targets, build trust and trick them into clicking on malicious links.”

Facebook said it has removed "fewer than 200” fraudulent accounts linked to the operation, which often claimed to be recruiters or employees of various defense and aerospace companies. Others said they worked in hospitality, medicine, journalism, nongovernmental organizations or the airline industry.

Their tactics included setting up fake recruiting websites and spoofing a US Department of Labor job portal. They also gave their targets links to malicious Microsoft Excel spreadsheets.

Facebook said the hackers invested considerable time in their targets, and in some cases, talked with them for months to gain their trust.

“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook's head of cyberespionage investigations, Mike Dvilyanski, and its director of threat disruption, David Agranovich, said in a blog post.

Facebook’s investigation found some of the malware was developed by Mahak Rayan Afraz, a Tehran-based company linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). A number of current and former executives at the Iranian technology company are connected to entities sanctioned by the United States, the blog post said.

“As far as I know, this is the first public attribution of the group's malware to a vendor or front company with ties to IRGC,” Dvilyanski said on a call with reporters. 

The company said it has taken down the accounts and notified Facebook users who were targeted. The hackers' targets were primarily in the United States, and to a lesser extent the United Kingdom and Europe.

Facebook said it has shared its findings and threat indicators with industry peers. According to Reuters, LinkedIn said it has deleted a number of fictitious accounts, and Twitter said it is “actively investigating.” 

The revelation comes after the Department of Justice alleged four Iranian operatives had plotted to kidnap an Iranian American journalist based in Brooklyn. The unsealed indictment Tuesday did not identify the victim, but Masih Alinejad confirmed in a Twitter post that she was the target. 

“What appalled me most is the brazenness with which the Islamic Republic of Iran tried to orchestrate a kidnapping attempt on the American soil,” she told Al-Monitor in a statement.

Join hundreds of Middle East professionals with Al-Monitor PRO.

Business and policy professionals use PRO to monitor the regional economy and improve their reports, memos and presentations. Try it for free and cancel anytime.

Free

The Middle East's Best Newsletters

Join over 50,000 readers who access our journalists dedicated newsletters, covering the top political, security, business and tech issues across the region each week.
Delivered straight to your inbox.

Free

What's included:
Our Expertise

Free newsletters available:

  • The Takeaway & Week in Review
  • Middle East Minute (AM)
  • Daily Briefing (PM)
  • Business & Tech Briefing
  • Security Briefing
  • Gulf Briefing
  • Israel Briefing
  • Palestine Briefing
  • Turkey Briefing
  • Iraq Briefing
Expert

Premium Membership

Join the Middle East's most notable experts for premium memos, trend reports, live video Q&A, and intimate in-person events, each detailing exclusive insights on business and geopolitical trends shaping the region.

$25.00 / month
billed annually

Become Member Start with 1-week free trial

We also offer team plans. Please send an email to pro.support@al-monitor.com and we'll onboard your team.

What's included:
Our Expertise AI-driven

Memos - premium analytical writing: actionable insights on markets and geopolitics.

Live Video Q&A - Hear from our top journalists and regional experts.

Special Events - Intimate in-person events with business & political VIPs.

Trend Reports - Deep dive analysis on market updates.

All premium Industry Newsletters - Monitor the Middle East's most important industries. Prioritize your target industries for weekly review:

  • Capital Markets & Private Equity
  • Venture Capital & Startups
  • Green Energy
  • Supply Chain
  • Sustainable Development
  • Leading Edge Technology
  • Oil & Gas
  • Real Estate & Construction
  • Banking

Start your PRO membership today.

Join the Middle East's top business and policy professionals to access exclusive PRO insights today.

Join Al-Monitor PRO Start with 1-week free trial