Facebook says Iranian hackers used it to lure defense company employees

Iranian hackers used Facebook to create elaborate personas to try to get Americans in the defense and aerospace industries to fall for phishing schemes, the company said Thursday.

The campaign, which began last year and used around 200 fake accounts, highlights the breadth and depth of efforts by Iranian and other state-affiliated cyber spies to hack into high-value targets like defense companies.

The personas were “designed to look like things people would engage with,” said Mike Dvilyanski, Facebook’s head of cyber-espionage investigations, including "attractive young women posing as professionals, sometimes pretending to be recruiters for particular companies or industries."

Having built up trust with their targets, the hackers would try to steer them to custom websites, like fake job recruiting portals, to try to steal their information, Dvilyanski said.

Facebook has notified about 200 users, most of them American, that they were targeted in the campaign. It is unclear if any of the phishing attempts were successful.

Iran’s U.N. mission did not respond to a request for comment.

It’s common for government-affiliated hackers to seek information on other countries’ military developments and is part of the daily grind of online espionage. But the Iranian hackers’ activity, detailed in a report Facebook published Thursday, shows them going to great lengths to build online characters that created relationships with Americans in those industries.

Eventually, they would try to convince their targets to click on a suspicious link or download a malicious file, which could help the hackers get access to their employer.

The hackers’ identities aren’t public, but they have loose ties to the Islamic Revolutionary Guard Corps, the branch of the Iranian military responsible for most of the country’s cyber operations, said John Hultquist, the director of threat intelligence at the cybersecurity company Mandiant, which also tracks the group.

“We can tie this activity to a company we believe is associated with the IRGC,” Hultquist said.

Vikram Thakur, a researcher at the cybersecurity company Symantec, which has tracked the hacker group for several years, said that it initially spied only on targets in the Middle East but pivoted to the U.S. defense sector “in recent months.”

While it is unclear if the Iranians were successful in breaching American targets, he said that the group’s effectiveness is due more to its persistence than any technologically sophistication.

“Volume and persistence seems to be working in their favor,” Thakur said.