Facebook disrupts Iranian hackers using platform to target US military personnel

Facebook on Thursday announced that it had taken steps to disrupt a group of Iranian-based hackers that had leveraged the platform as part of a wider effort to target U.S. military personnel and the defense industry in other countries. 

According to Facebook, a cyber criminal group known as “Tortoiseshell” took steps including creating fake accounts posing as employees of defense and aerospace companies, pushing out malware tools, and using fake websites to steal login credentials of the work and personal accounts of victims. 

Military personnel and organizations in the United Kingdom and Europe were also targeted in the campaign. Facebook officials stressed Thursday that the platform was “one of the elements of a much broader cross-platform cyber espionage operation.”

“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and David Agranovich, director of threat disruption at the company, wrote in a blog post about the hacking group Thursday.

“The group’s activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing the malware itself,” they noted. 

Facebook found evidence that some of the malware used by the hacking group was developed by an Iranian IT company linked to the Iranian military, with company executives linked to groups previously sanctioned by the U.S. government. 

Facebook took steps including notifying potential victims, blocking the fake malicious websites from being shared on Facebook, and shutting down the fake accounts. The company also shared information on the hacking operation with law enforcement and industry peers to help block the activity not involving Facebook. 

“This was a well-resourced and carefully targeted campaign,” Nathaniel Gleicher, the head of security policy at Facebook, tweeted Thursday. “We’ve alerted people who we believe might have been targeted. Because the attempted compromise appeared to occur off our platform, we can’t assess how successful they were.”

The group previously targeted IT providers in Saudi Arabia, and Gleicher noted it was known in the past to mostly focus on the IT industry in the Middle East. 

This case is far from the first time Facebook has responded to Iranian-linked malicious activity on its platform. 

A report put out by the company in May found that a third of the networks the company shut down between 2017 and 2020 for inauthentic behavior were either linked to Russia or Iran. It also has taken down accounts linked to Iran attempting to interfere in U.S. elections. 

Sarah Jones, the senior principal analyst at FireEye’s Mandiant Threat Intelligence, said Thursday in a statement provided to The Hill that “Facebook’s description of Iranian groups which outsource all or parts of their operations to outside companies is consistent with our observations.”

Some of the fake websites used to target victims were a spoofed U.S. Department of Labor job search site, along with domains associated with the family of former President Trump.

“The existence of Trump related domains is notable, though we have no evidence that these domains were operationalized or used to target anyone affiliated with the Trump family or properties,” Jones said. “Domains such as these could suggest social engineering associated with US political topics.”

“Iran is still an aggressive cyber actor that shouldn’t be ignored,” Jones stressed. “Though a lot of their activity is focused on the Middle East, they are not limited to their region.”