If you're a member of the US military who's gotten friendly Facebook messages from private-sector recruiters for months on end, suggesting a lucrative future in the aerospace or defense contractor industry, Facebook may have some bad news.
On Thursday, the social media giant revealed that it has tracked and at least partially disrupted a long-running Iranian hacking campaign that used Facebook accounts to pose as recruiters, reeling in US targets with convincing social engineering schemes before sending them malware-infected files or tricking them into submitting sensitive credentials to phishing sites. Facebook says that the hackers also pretended to work in the hospitality or medical industries, in journalism, or at NGOs or airlines, sometimes engaging their targets for months with profiles across several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media catfishing that have focused on Iran's neighbors, this latest campaign appears to have largely targeted Americans, and to a lesser extent UK and European victims.
Facebook says it has removed "fewer than 200" fake profiles from its platforms as a result of the investigation and notified roughly the same number of Facebook users that hackers had targeted them. "Our investigation found that Facebook was a portion of a much broader espionage operation that targeted people with phishing, social engineering, spoofed websites, and malicious domains across multiple social media platforms, email, and collaboration sites," David Agranovich, Facebook's director for threat disruption, said Thursday in a call with press.
Facebook has identified the hackers behind the social engineering campaign as the group known as Tortoiseshell, believed to work on behalf of the Iranian government. The group, which has some loose ties and similarities to other better-known Iranian groups known by the names APT34 or Helix Kitten and APT35 or Charming Kitten, first came to light in 2019. At that time, security firm Symantec spotted the hackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the company's customers with a piece of malware known as Syskit. Facebook has spotted that same malware used in this latest hacking campaign, but with a far broader set of infection techniques and with targets in the US and other Western countries instead of the Middle East.
Tortoiseshell also seems to have opted from the start for social engineering over a supply-chain attack, starting its social media catfishing as early as 2018, according to security firm Mandiant. That includes far more than just Facebook, says Mandiant vice president of threat intelligence John Hultquist. "From some of the very earliest operations, they compensate for really simplistic technical approaches with really complex social media schemes, which is an area where Iran is really adept," Hultquist says.
In 2019, Cisco's Talos security division spotted Tortoiseshell running a fake veterans' site called Hire Military Heroes, designed to trick victims into installing a desktop app on their PC that contained malware. Craig Williams, a director of Talos’ intelligence group, says that fake site and the larger campaign Facebook has identified both show how military personnel trying to find private-sector jobs pose a ripe target for spies. “The problem we have is that veterans transitioning over to the commercial world is a huge industry,” says Williams. “Bad guys can find people who will make mistakes, who will click on things they shouldn’t, who are attracted to certain propositions.”
Facebook warns that the group also spoofed a US Department of Labor site; the company provided a list of the group's fake domains that impersonated news media sites, versions of YouTube and LiveLeak, and many different variations on Trump family and Trump organization–related URLs.
Facebook says that it has tied the group's malware samples to a specific Tehran-based IT contractor called Mahak Rayan Afraz, which has previously provided malware to the Iranian Revolutionary Guard Corps, or IRGC—the first tenuous link between the Tortoiseshell group and a government. Symantec noted back in 2019 that the group had also used some software tools also spotted in use by Iran's APT34 hacking group, which has used social media lures across sites like Facebook and LinkedIn for years. Mandiant's Hultquist says it roughly shares some characteristics with the Iranian group known as APT35, too, which is believed to work in the service of the IRGC. APT35's history includes using an American defector, military intelligence defense contractor Monica Witt, to gain information about her former colleagues that could be used to target them with social engineering and phishing campaigns.
The threat of Iran-based hacking operations—and particularly, the threat of disruptive cyberattacks from the country—may have appeared to subside as the Biden Administration has reversed course from the Trump administration's confrontational approach. The 2020 assassination of Iranian military leader Qassem Soleimani in particular led to an uptick in Iranian intrusions that many feared were a precursor to retaliatory cyberattacks that never materialized. President Biden has, by contrast, signaled that he hopes to revive the Obama-era deal that suspended Iran's nuclear ambitions and eased tensions with the country—a rapprochement that has been rattled by news that Iranian intelligence agents plotted to kidnap an Iranian-American journalist.
But the Facebook campaign shows that Iranian espionage will continue to target the US and its allies, even as the broader political relations improve. "The IRGC are clearly conducting their espionage in the United States," says Mandiant's Hultquist. "They're still up to no good, and they need to be carefully watched."