How Iranian Hackers Targeted U.S. Military Personnel on Facebook

By Bill Toulas / July 16, 2021

Facebook has taken action against Iranian hackers of the ‘Tortoiseshell’ group, who were caught trying to trick American military personnel and people working for U.S.-based companies involved in the defense and aerospace industries. The actors' main goal was to infect the devices of their targets with malware which would enable them to engage in espionage. Being a sophisticated actor, ‘Tortoiseshell’ deployed a wide range of tactics and hiding methods, following a strong set of operational security measures to evade Facebook’s malicious/suspicious activity scanners.

The malware wasn’t sent directly to the victims, but instead, the actors used social engineering to convince the target to click on the download link themselves. The hackers posed as recruiters who worked for large defense and aerospace companies in the U.S., offering work with a lucrative salary to the targets. In some cases, NGOs, airlines, hospitality, or medicine profession personas were used, and in all cases, the link to the malware was presented as something relevant to the story.

The domains used for the phishing part are very well-crafted, with one being a spoofed U.S. Department of Labor job search site. These websites offer “login” options for social media, personal or professional email accounts, collaboration tools, etc. Once the victim entered this info on the phishing sites, they were redirected to download the malware, which came with a different name each time, depending on what the social engineering fable was.

The malware itself is a full-featured remote-access trojan with keystroke logging and network reconnaissance tools. In some cases, the actors used MS Excel files laced with malicious macros that can perform various system commands. In one case, the Iranian hackers used a document that could write stolen info to a hidden area of the spreadsheet and had the victim return the file to them on the pretense of completing the job application.

‘Tortoiseshell’ used various malware variants in its FB campaign, most of which were developed by others. A sample analyzed by Facebook’s engineers reveals the involvement of an IT company in Tehran, ‘Mahak Rayan Afraz.’ For a full list of the indicators of compromise and the long list of phishing domains, check out Facebook’s detailed report.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: