Facebook on Thursday revealed that it had dismantled a “sophisticated” online cyberespionage campaign by Iranian hackers targeting approximately 200 soldiers and companies in the defense and aerospace industries in the US, UK and Europe using fake online personas on its platform.
The social media giant pinned the attacks on a threatening actor known as Tortoise shell (aka Imperial Kitten) on the basis that the opponent used similar techniques in past campaigns attributed to the threat group, which was previously known focus on the information technology industry in Saudi Arabia, suggesting an apparent expansion of malicious activity.
“This group used various malicious tactics to identify their targets and infect their devices with malware to enable espionage,” mentionned Mike Dvilyanski, Head of Cyber Spy Investigations, and David Agranovich, Director, Threat Disruption, at Facebook. “This activity had the characteristics of a well-funded and persistent operation, while relying on relatively strong operational security measures to hide who is behind it.”
According to the company, the attacks were part of a much larger cross-platform campaign, with bad actors using Facebook as a social engineering vehicle to redirect victims to malicious domains via malicious links.
To this end, Tortoiseshell reportedly deployed sophisticated fictional characters to contact his targets, and sometimes engage with them for months to build trust, masquerading as recruiters and employees of defense and aerospace companies, while a few others claimed to work in the hotel industry. , medicine, journalism, NGOs and airline industries.
Scam domains, including bogus versions of a US Department of Labor job search and recruiting websites, were designed to target people of potential interest to the aerospace and aircraft industries. defense with the ultimate goal of stealing credentials and siphoning data from email accounts belonging to targets.
In addition to leveraging different collaboration and messaging platforms to move conversations off-platform and deliver tailor-made malware to their victims, the threat actor has also profiled its systems to suck information out. Networks to which devices were connected and installed software deploy Remote Access Trojans (RATs), comprehensive device and network discovery tools, and keyloggers.
Additionally, Facebook’s analysis of Tortoiseshell’s malware infrastructure revealed that part of their toolset was developed by Mahak Rayan Afraz (MRA), a Tehran IT company linked to the Guard Corps. of the Islamic Revolution (IRGC).
“To disrupt this operation, we have blocked the sharing of malicious domains on our platform, deleted the group’s accounts and notified the people who we believe were targeted by this malicious actor,” said Dvilyanski and Agranovich. About 200 accounts managed by the hacking group have been deleted, Facebook added.