Facebook Takes Down Accounts Used by Iranian Hackers
Reading Time: 2 minutes

Facebook takes down accounts used by Iranian hackers to target US military personnel. According to Reuters, Facebook sabotaged an online spying campaign by Iranian hackers targeting nearly 200 military personnel and companies from the defense and aerospace sectors in the U.S., U.K., and Europe. The hackers used fake online identities on Facebook to carry out their campaigns.

Facebook linked the attacks with a threat actor known as Tortoiseshell (aka Imperial Kitten), based on similar tactics used earlier to target the information technology industry in Saudi Arabia.

Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption, at Facebook in a blog post said, “This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage. This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who’s behind it.”

Facebook revealed this was part of a bigger plan with the bad actors planning to leverage Facebook as a social engineering vector to redirect the victims to rogue domains via malicious links.

Tortoiseshell was able to deploy sophisticated fake identities to contact targets. They were at times carried on interacting with the victims for months to build trust by impersonating as recruiters and employees of defense and aerospace companies. Many of these bad actors also claimed to work in hospitality, medicine, journalism, NGOs and airlines industries.

The bad actors were known to have used fraudulent domains. Fake versions of U.S. Department of Labor job search sites and recruiting websites were developed to target users interested in aerospace and defense industries. This was all done with the sole purpose of perpetrating credential theft and siphoning data from email accounts belonging to the targets.

The threat actor also took advantage of different collaboration and messaging platforms. They moved conversations off-platform and delivered target-tailored malware to their victims. Victims systems were also profiled to vacuum information about the networks the devices were connected to and the software installed on them to deploy full-featured remote access trojans (RATs), device and network reconnaissance tools, and keystroke loggers by the threat actor.

According to Facebook, a portion of Tortoiseshell malware infrastructure included a toolset developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).

Facebook Actions Against Threat Actors

  • Blocking malicious domains from being shared on their platform.
  • Taken Down the group’s accounts.
  • Notified people who were believed to be targeted by this threat actor.

Related Articles:

Ransomware Attacks Target Unpatched EOL SonicWall SMA 100 VPN Appliances
How to Stop Autoplay Trailers in Netflix before they start
Free Video Downloader for YouTube: Download YouTube videos with this free tool