How Iranian Hackers Targeted U.S. Military Personnel on Facebook

  • Iranian hackers of the ‘Tortoishell’ group engaged in social engineering against U.S. Army personnel.
  • The actors sent messages to the targets and led them to download malware from phishing sites.
  • The spoofed websites used for this purpose were made to steal a large variety of credentials.

Facebook has taken action against Iranian hackers of the ‘Tortoiseshell’ group, who were caught trying to trick American military personnel and people working for U.S.-based companies involved in the defense and aerospace industries. The actors' main goal was to infect the devices of their targets with malware which would enable them to engage in espionage. Being a sophisticated actor, ‘Tortoiseshell’ deployed a wide range of tactics and hiding methods, following a strong set of operational security measures to evade Facebook’s malicious/suspicious activity scanners.

The malware wasn’t sent directly to the victims, but instead, the actors used social engineering to convince the target to click on the download link themselves. The hackers posed as recruiters who worked for large defense and aerospace companies in the U.S., offering work with a lucrative salary to the targets. In some cases, NGOs, airlines, hospitality, or medicine profession personas were used, and in all cases, the link to the malware was presented as something relevant to the story.

The domains used for the phishing part are very well-crafted, with one being a spoofed U.S. Department of Labor job search site. These websites offer “login” options for social media, personal or professional email accounts, collaboration tools, etc. Once the victim entered this info on the phishing sites, they were redirected to download the malware, which came with a different name each time, depending on what the social engineering fable was.

The malware itself is a full-featured remote-access trojan with keystroke logging and network reconnaissance tools. In some cases, the actors used MS Excel files laced with malicious macros that can perform various system commands. In one case, the Iranian hackers used a document that could write stolen info to a hidden area of the spreadsheet and had the victim return the file to them on the pretense of completing the job application.

‘Tortoiseshell’ used various malware variants in its FB campaign, most of which were developed by others. A sample analyzed by Facebook’s engineers reveals the involvement of an IT company in Tehran, ‘Mahak Rayan Afraz.’ For a full list of the indicators of compromise and the long list of phishing domains, check out Facebook’s detailed report.

Latest
How to Watch Junior Bake Off 2023 (Season 8) Online from Anywhere
Get ready to watch juniors show off their baking skills! Junior Bake Off 2023 (Season 8) is all set to be aired!...
How to Watch How I Met Your Father Season 2 Online from Anywhere
How I Met Your Father Season 2 is set to hit the screens pretty soon. We have the premiere date, plot, cast,...
How to Watch Better Date Than Never Online: Stream the Dating Docuseries from Anywhere
Are you a docuseries lover? If so, we have a piece of exciting news! Better Date Than Never, a new six-episode series,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari