Facebook Takes Down 200 Accounts Run by Iranian Hackers
A cyber-spying operation that was uncovered and shut down by Facebook on Thursday had been targeting personnel from the U.S military and people working in defence and aerospace sectors. They created fake profiles that enabled them to connect with targeted people online, spending at times months on building trust and relationships to have them go onto other sites which contained harmful links which then infected their hardware with malware that was used for spying. To make the false profiles look more realistic they would often have accounts across multiple social media sites.
Facebook has said the attacks were carried out by a known group dubbed “Tortoiseshell”, as they’ve previously used techniques that were similar to the ones that happened recently. The previous attacks were focused on the information technology sectors in Saudi Arabia, meaning there has been a significant expansion of malicious activities. This time, they have been targeting the U.S., U.K. and Europe. Some of the personas the group had taken on were those of recruiters or employees of defence and aerospace companies, along with a few that claimed to work in different sectors such as journalism and medicine. The group used email, messaging and collaboration services to get the malware out, even using malicious Microsoft Excel spreadsheets.
"This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage," said Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption, at Facebook. "This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who's behind it."
Facebook wasn’t the only social media company that had totake action, as accounts on Twitter, LinkedIn, Slack and Gmail were found. Microsoft-owned LinkedIn has said it has removed accounts that were found to be involved, Google has detected and blocked phishing on Gmail and has notified users of the situation. Twitter is actively investigating the report from Facebook, and Slack has said it had taken down the hackers who were using the site, along with shutting down all users that violated the rules. The fake domains that were used to target persons of interest were those of such as a fake version of a U.S. Department of Labour job search website and different recruiting websites. The end goal of people clicking on the links and engaging in conversation was to steal credentials and siphon data from the target’s email accounts.
The campaign had been running since the middle of 2020, according to Facebook. They have declined to name companies whose employees had been targeted but they have notified said individuals. The investigation uncovered that part of the malware used was developed by Mahak Rayan Afraz (MRA), an information technology company based in Tehran that holds ties to the Islamic Revolutionary Guard Corps. MRA’s connection to Iranian cyber espionage isn’t a recent thing. Last year, Recorded Future - a cybersecurity company - had said MRA was one of several contractors whom are suspected of serving the IRGC's elite Quds Force. The malicious domains have been put on Google’s blocklist, and Facebook has also blocked them from being shared.
"To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group's accounts and notified people who we believe were targeted by this threat actor," Dvilyanski and Agranovich said.
Keep up-to-date with the latest tech industry insights, trends as well as information technologies, app development, and small business content with the Proteams Blog
Follow us on LinkedIn for updates on the latest tech news here