Facebook catches Iranian spies fishing for US military targets

Facebook catches Iranian spies fishing for US military targets

If you are a member of the US military who has become friendly Facebook Messages from private sector recruiters for months, suggesting a lucrative future in the aerospace or defense contractor industry, Facebook may have bad news.

On Thursday, the social media giant revealed that it has tracked and, at least partially, disrupted a long-running process. Iranian Hacking campaign that used Facebook accounts to pose as recruiters, luring US targets with convincing social engineering schemes before sending them malware-infected files or tricking them into submitting confidential credentials to phishing sites. Facebook says the hackers also pretended to work in the hotel or medical industry, in journalism, or in NGOs or airlines, sometimes engaging their targets for months with profiles on several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media cat fishing that have targeted Iran’s neighbors, this latest campaign appears to have primarily targeted Americans and, to a lesser extent, victims of the UK and Europe.

Facebook says it has removed “less than 200” fake profiles from its platforms as a result of the investigation and notified roughly the same number of Facebook users that hackers had targeted them.

“Our investigation found that Facebook was one part of a much larger spy operation targeting people with phishing, social engineering, spoofed websites, and malicious domains across multiple social media platforms, email, and collaboration sites,” David Agranovich, Facebook’s disruption threat director, said Thursday in a press call.

Facebook has identified the hackers behind the social engineering campaign as the group known as Tortoiseshell, believed to be working on behalf of the Iranian government. The group, which has some loose ties and similarities to other better-known Iranian groups known by the names APT34 or Helix Kitten and APT35 or Charming Kitten, first came to light in 2019. At the time, security firm Symantec saw the hackers breaching Saudi IT vendors in an apparent supply chain attack designed to infect the company’s customers with a malware known as Syskit. Facebook has detected the same malware used in this latest hacking campaign, but with a much broader set of infection techniques and targeting the United States and other Western countries rather than the Middle East.

Tortoiseshell also appears to have opted for social engineering from the outset over a supply chain attack, beginning its social media fishing as early as 2018, according to security firm Mandiant. That includes much more than Facebook, says Mandiant VP of Threat Intelligence John Hultquist. “From some early operations, they compensate for really simplistic technical approaches with really complex social media schemes, which is an area that Iran is really adept at,” Hultquist says.

In 2019, the Talos security division of Cisco discovered Tortoiseshell run a fake site for veterans called Hire Military Heroes, designed to trick victims into installing a desktop application on their PC that contains malware. Craig Williams, director of the Talos intelligence group, says the fake site and the largest campaign Facebook has identified show how military personnel trying to find jobs in the private sector represent a mature target for spies. “The problem we have is that the transition from veterans to the commercial world is a huge industry,” says Williams. “Bad guys can find people who make mistakes, who click on things they shouldn’t, who are drawn to certain propositions.”

Facebook warns that the group also spoofed a US Department of Labor site.The company provided a list of the group’s fake domains posing as news media sites, YouTube and LiveLeak versions, and many different variations. URLs related to the Trump family and the Trump organization.

Facebook says it has linked the group’s malware samples to a specific Tehran-based IT contractor named Mahak Rayan Afraz, who previously provided malware to Iran’s Revolutionary Guard Corps, or IRGC, the first tenuous link between the Tortoiseshell group. and a government. Symantec noted in 2019 that the group had also used some software tools that were also used by Iran’s APT34 hacking group, what’s wrong with it used social media lures on sites like Facebook and LinkedIn for years. Mandiant’s Hultquist says it shares some characteristics with the Iranian group known as APT35, which is believed to work in the service of the IRGC. The APT35 story includes the use of an American defector, military intelligence defense contractor Monica Witt, to get information about your former colleagues that could be used to target them with social engineering and phishing campaigns.

The threat of Iran-based hacking operations, and in particular the threat of disruptive cyberattacks from the country, may have disappeared as the Biden administration has reversed course from the Trump administration’s confrontational approach. The 2020 assassination of Iranian military leader Qassem Soleimani in particular led to a spike in Iranian intrusions that many feared were a precursor to retaliatory cyberattacks that never materialized. President Biden, by contrast, has signaled that he hopes to revive the Obama-era deal that suspended Iran’s nuclear ambitions and eased tensions with the country, a rapprochement that has been shaken by news that Iranian agents Iranian intelligence conspired to kidnap an Iranian-American journalist.

But the Facebook campaign shows that Iranian espionage will continue to target the United States and its allies, even as political relations generally improve. “The IRGC is clearly conducting its espionage in the United States,” says Mandiant’s Hultquist. “They are still not doing any good, and they need to be watched carefully.”

This story first appeared in wired.com.


Leave a Reply

Your email address will not be published. Required fields are marked *