Facebook has taken down an operation by Iranian hackers targeting military, defense, and aerospace entities, particularly focused on the US.
“[W]e’re sharing actions we took against a group of hackers in Iran to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and conduct espionage operations across the internet, targeting primarily the United States,” the researchers write. “This group is known in the security industry as Tortoiseshell, whose activity was previously reported to mainly focus on the information technology industry in the Middle East. In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe. This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”
The researchers explain that the threat actors went to great lengths to craft fake personas to interact with their targets.
“In running its highly targeted campaign, Tortoiseshell deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links,” Facebook says. “These fictitious personas had profiles across multiple social media platforms to make them appear more credible. These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. They leveraged various collaboration and messaging platforms to move conversations off-platform and send malware to their targets. Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months.”
The attackers put a similar amount of effort into building convincing phishing sites to steal victims’ credentials and deliver malware.
“This group created a set of tailored domains designed to attract particular targets within the aerospace and defense industries,” the researchers write. “Among them were fake recruiting websites for particular defense companies. They also set up online infrastructure that spoofed a legitimate US Department of Labor job search site. As part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links. These domains appeared to have been used for stealing login credentials to the victims’ online accounts (e.g. corporate and personal email, collaboration tools, social media). They also appeared to be used to profile their targets’ digital systems to obtain information about people’s devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware.”
It’s worth noting that the first approach was pure deception and social engineering, with no malware involved. The Tortoiseshell threat actors first sought to build trust. The malware payloads came later. New-school security awareness training can enable your employees to recognize red flags associated with sophisticated social engineering attacks like this one.
Facebook has the story.