On Thursday, Facebook disclosed that a network of hackers with ties to Iran tried to use its platform to target US military personnel. At the center of the campaign was a group known as Tortiseshell. Facebook says the collective went after individuals and companies in the defense and aerospace industries. Its primary targets were in the US, but they also sought out people in the UK and parts of Europe.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said. "Our platform was one of the elements of the much broader cross-platform cyber-espionage operation, and its activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g., email, messaging and collaboration services and websites), rather than directly sharing of the malware itself."
What went down appears to be unprecedented for Tortoiseshell. In the past, the group has primarily targeted IT companies throughout the Middle East. The methods it employed were similar to those that China’s Evil Eye used to target the Uyghur community earlier in the year.
Facebook says the group created “sophisticated online personas” to contact its targets and build trust with them before trying to convince them to click on malicious links. They had accounts across multiple social media platforms to make their ruse appear more credible. The group built fake recruiting websites and even went so far as to spoof a legitimate US Department of Labor job search tool. Facebook believes at least some of the malware the group deployed was developed by Mahak Rayan Afraz, a company with ties to the Islamic Revolutionary Guard Corps.
Iran has been accused of a variety of malicious online activities over the past year. Most notably, Microsoft said last September it was one of the countries that tried to meddle in the 2020 US presidential election.