Facebook said it had taken down a group of hackers tied to Iran who were trying to spread malware using fake Facebook profiles.
The social media platform’s cyber espionage team detected the group and disabled their accounts. Facebook also notified about 200 users who were targeted in this campaign.
Researchers believe attackers are part of the Tortoiseshell hacker group. The hackers focused on individuals working for various US military organizations. Facebook’s cybersecurity team says attackers could spend months creating social engineering campaigns to spread malware through their domains.
About 200 accounts were blocked and taken down following an investigation by Facebook.
Facebook said on Friday that an operation that targeted US users was carried out by a well-resourced and persistent team effectively hiding their origins.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said in a blog post. “Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and its activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing of the malware itself.”
Active since 2018, Tortoiseshell previously focused on disrupting the information technology industry, not military sectors. Facebook said that the campaign’s malware, or at least a part of it, was developed by Mahak Rayan Afraz (MRA), a local developer company in Iran with ties to the country’s Islamic Revolutionary Guard Corps.
Some former and current MRA executives have ties to companies that are under the US government’s sanctions.
“We saw [Tortoiseshell] pivot in 2020 to the new focus on aerospace and defense in the US,” said Mike Dvilyanski, head of cyber espionage investigations at Facebook. “We have no insights as to the level of seniority in companies that the targets had. This relates to our overall investigation in malware analysis but we are confident that part of the malware was developed by the MRA.”