Facebook is going after Iranian spies who were hunting US military targets

The hackers presented themselves as recruiters, journalists, and hospitality workers to lure their victims.

If you've been a member of the US military and have received friendly messages from private recruits on Facebook for months, and that's a lucrative future in the aerospace or defense contracting industry, Facebook may have some bad news. You have.

On Thursday, social media giants revealed that they had tracked and disrupted at least part of a long-running Iranian hacking app that used Facebook accounts for recruitment, before sending malware. For US purposes, with disguised social engineering schemes, infected files or tricked them into providing sensitive information to phishing sites. Facebook says the hackers also pretended to work in the hospitality, medical industry, journalism, NGOs or airlines, sometimes targeting their targets for months with profiles on many different social media platforms. In contrast to some previous cases by the Iranian government about hunting on social media that focused on Iran's neighbours, these recent struggles appear to have mainly targeted Americans and, to a lesser extent, British and European victims. Facebook is looking for Iranian spies who have been hunting US military targets

Facebook says it removed "less Out of 200" fake profiles as a result of the investigation, operating systems reported roughly the same number of Facebook users that were targeted by hackers.

“Our investigation found that Facebook was part of a much larger espionage operation targeting individuals with phishing, social engineering, fake websites, malicious domains across multiple social media platforms, emails, and collaboration sites,” David Agranovich, Director of Administration Threats on Facebook, to the press Thursday. Advert Advertisement

Facebook has identified the hackers in its social engineering campaign as a group known as Tortoiseshell, which is believed to operate on behalf of the Iranian government. This group, which has some loose ties and similarities to other popular Iranian groups known as APT34 or Helix Kitten and APT35 or Cute Cat, was first exposed in 2019. At the time, security firm Symantec spotted Saudi hackers with Saudi IT providers in A blatant attack on the supply chain designed to infect its customers with malware known as Syskit. Facebook saw the same malware used in this latest hack, but with a wide variety of infection technologies and targets in the US and other Western countries rather than the Middle East. Tortoiseshell also appears to have chosen social engineering from more than one supply chain attack from the start, and has been fishing on social media since early 2018, according to security firm Mandiant. “This is more than just Facebook,” said John Holtquist, deputy director of threat intelligence. “From some initial operations, they offset simple simplifications with really sophisticated social media methods, this is an area where Iran is really good,” Holtquist says.

In 2019, Cisco Security launched Talos Tortoiseshell on a fake website for veterans called Hire Military Heroes, designed to trick victims into installing a desktop application on their PC that contains malware. The fake site and larger campaign identified by Facebook show how military personnel are trying to target spies to find jobs in the private sector, says Craig Williams, director of the Talus Intelligence Group. “The problem we have is that veterans are getting into the business world in a big industry,” Williams said. "Bad people can find people who make mistakes, who click on things they shouldn't do, and some of the statements are noted." Facebook warns that the group has also forged the website of the US Department of Labor; The company provided a list of the group's fake domains, which includes fake news media sites, versions of YouTube, LiveLeak, and various Internet headline changes related to the Trump family and the Trump Organization. Facebook says it sampled the group's malware for a private IT contractor based in Tehran, Mohak Ryan Afraz, who previously provided malware to Iran's Revolutionary Guards, or IRGC, and is the first unpleasant link between the Tortoiseshell group and the government. In 2019, Symantec indicated that the group also used some software tools used by Iranian hacking group APT34, which has been using social media deception for years via sites like Facebook and LinkedIn. The Holt Quest Mandiant says these almost have some advantages with the Iranian group known as the APT35, which is believed to be in the service of the IRGC. The history of APT35 includes the use of a US officer, military intelligence contractor Monica Witt, to obtain information on her former colleagues that could be used to target them through social engineering and phishing campaigns. The threat of hacking in Iran It appears that as the Biden administration has changed course from the Trump administration's countermeasures, there may be processes - and in particular, the threat of disruptive cyber attacks from the state - slowing. In particular, the assassination of Iranian military commander Qassem Soleimani in 2020 increased influence in Iran, which many fear is a precursor to retaliatory cyber attacks that never materialized. On the contrary, President Biden hoped he could revive the Obama-era agreement that halted Iran's nuclear ambitions and eased tensions with it — a move backed by reports that Iranian intelligence agents were plotting to hijack him. - The American journalist is confused. . But Facebook's struggles show that Iranian espionage will continue to target the United States and its allies, even as broader political relations improve. "It is clear that the IRGC is spying on the United States," says Holtquist Mandiant. "It is still not good and should be monitored carefully."

This story first appeared on

Facebook is going after Iranian spies who were hunting US military targets
facebook-is-going-after-iranian-spies-who-were-hunting-us.html It warns that Starlink and similar networks can block each other's signals

It warns that Starlink and similar networks can block each other's signals

Ofcom says the complexity of giant satellite networks raises concerns about interference.

A British government agency is concerned that Space... Let's talk about machine learning experiments that went right and wrong

Let's talk about machine learning experiments that went right and wrong

Join the original audition on Wednesday, July 28 at 1:00 PM ET!

We've spent the past few weeks burning large amounts of AWS computing time tr... Explosive iOS spy report shows Android security limitations

Explosive iOS spy report shows Android security limitations

Amnesty International finds the incompatibility tool used by the NSO Group worrisome.

The shadowy world of private spyware has long sounded t...


... Our AI title test continues: Did we break the device?

Our AI title test continues: Did we break the device?

In Part Three of Four, we look less at what went right and what went wrong.

We are now in the third phase of machine learning projects - that...