If you are a friendly member of the US military Facebook posts from private sector recruiters for months on end, suggesting a lucrative future in the aerospace or defense industry, Facebook can have bad news.
On Thursday, the social media giant revealed he was being followed and at least partially disrupted a long Iranian hacking campaign that used Facebook accounts to masquerade as recruiters, luring American targets with compelling social engineering schemes before sending them malware-infected files or tricking them into submitting information from sensitive identification to phishing sites. Facebook says the hackers also claimed to work in the hospitality or medical industry, journalism, or NGOs or airlines, sometimes engaging their targets for months with profiles on several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media cat fishing that have focused on Iran’s neighbors, this latest campaign appears to have largely targeted Americans and, to a lesser extent, victims. British and European.
Facebook said it removed “less than 200” bogus profiles from its platforms as a result of the investigation and informed about the same number of Facebook users that hackers targeted them. “Our investigation found that Facebook was part of a much larger spy operation that targeted people with phishing, social engineering, spoofed websites and malicious domains across multiple social media platforms,” messaging and collaboration sites, ”David Agranovich, Facebook’s director for Disruption Threats, said Thursday in a press call.
Facebook has identified the hackers behind the social engineering campaign as the group known as “Turtleshell”, believed to be working on behalf of the Iranian government. The band, which has loose ties and similarities to other Iranian bands better known as APT34 or Helix Kitten and APT35 or Charming Kitten, first appeared in 2019. At this time, the company Symantec Security spotted pirates violate Saudi IT vendors in an apparent supply chain attack designed to infect company customers with malware known as Syskit. Facebook spotted the same malware used in this latest hacking campaign, but with a much broader set of infection techniques and with targets in the United States and other Western countries instead of the Middle East.
Tortoiseshell also appears to have opted for social engineering over a supply chain attack from the start, starting its social media catfishing as early as 2018, according to security firm Mandiant. This includes much more than Facebook, says John Hultquist, Mandiant’s vice president of threat intelligence. “From some of the very early operations, they’ve been compensating for really simplistic technical approaches with really complex social media schemes, which is an area where Iran is really good at,” Hultquist said.
In 2019, Cisco’s Talos security division spotted tortoiseshell run a fake veterans site called Hire Military Heroes, designed to trick victims into installing a desktop application on their PC that contains malware. Craig Williams, director of the Talos intelligence group, said that this bogus site and the larger campaign Facebook has identified both show how military personnel trying to find private sector jobs are ideal targets for spies. “The problem we have is that the veterans making the transition to the commercial world are a huge industry,” says Williams. “Bad guys can find people who will make mistakes, who click on things they shouldn’t, who are drawn to certain propositions.”
Facebook warns the group also spoofed a US Department of Labor site; the company provided a list of the group’s fake domains that mimicked news media sites, versions of YouTube and LiveLeak, as well as many variations of URLs related to the Trump family and the Trump organization.