Facebook takes action against Iranian hackers targeting US military personnel, defense cos
Tortoiseshell used various tactics, techniques and procedures (TTPs) including social engineering wherein the group deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links.
- Country:
- United States
Facebook has taken action against a group of Iranian hackers, known as Tortoiseshell in the security industry, who were targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe.
In an investigation carried out by Facebook threat intelligence analysts and security experts, the group was found using various malicious tactics to identify its targets and infect their devices with malware to enable espionage.
"Today, we're sharing actions we took against a group of hackers in Iran to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and conduct espionage operations across the internet, targeting primarily the United States," the social networking giant wrote in a blog post on Thursday.
Tortoiseshell used various tactics, techniques and procedures (TTPs) including social engineering wherein the group deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links. While some of these fake accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in, other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines.
The group also created fake recruiting websites for particular defense companies and also set up online infrastructure that spoofed a legitimate US Department of Labor job search site.
Further, Tortoiseshell used unique, custom malware tools including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers. This group also used several distinct malware families, a portion of which was found to be developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).
To disrupt their adversary operation, Facebook blocked malicious domains from being shared on its platform, took down the group's accounts and notified people who were being targeted by the group.
Google News