LONDON: Facebook has blocked a cyberespionage campaign by Iranian hackers who sought to implant surveillance software into the devices of US, British and European military personnel.
The social network said a group of Iranian hackers known as Tortoiseshell created fake personas such as defense employees and recruiters in order to trick genuine members of the military and defense industries into following malicious links.
If those links were followed, surveillance software would have been planted into their device, potentially revealing confidential information about the military.
The campaign, which has been running since 2020, targeted around 200 people in the military, defense and aerospace industries, Facebook said, adding that it was “primarily in the US, and to a lesser extent in the UK and Europe.”
The social media giant said part of the malware deployed by the hackers was developed by Mahak Rayan Afraz, an IT company in Tehran “with ties to the Islamic Revolutionary Guard Corps.”
Mike Dvilyanski, Facebook’s head of cyberespionage investigations, told the Financial Times: “Just the level of investment into the reconnaissance and social engineering phases has all the hallmarks of well-resourced and persistent behaviour that we’ve come to expect from more sophisticated advanced persistent threat actors that we track.”
Earlier this week, it was revealed that Iranian operatives were impersonating academics from London’s School of Oriental and African Studies in an attempt to reach Middle East experts and Iranian dissidents.
Amin Sabeti, executive director of the Digital Impact Lab, told Arab News that these kinds of campaigns are familiar territory for hackers working on behalf of Tehran. “It’s the same pattern that Iranian state-backed hackers have been following for years,” he said.
Iran’s social engineering techniques — which involve manipulation in order to obtain sensitive information, rather than direct hacking of accounts — take time to build the trust of their targets, but require considerably fewer resources than other cyberespionage methods, he added.
“It’s easy, cheap, there’s plausible deniability and it works, it’s effective,” he said, adding that it is difficult to establish a direct link between hacking networks and Tehran, but if they operate from Iran “they have the consent of the regime.”
Sabeti said: “If you’re a cybercriminal you’re after money, not intelligence. If you’re after intelligence, documents and those kinds of things, then you’re part of the intelligence agency. This is one of the ways you can establish whether they’re a state-backed hacker or not.”
Many of the fake profiles used on Facebook had their personas cultivated across various social media platforms.
LinkedIn said it had “restricted the accounts responsible” on its platform and was monitoring the situation, while Twitter said it was “actively investigating” the matter.
Microsoft and Google also responded, with the latter saying it had now added the malicious domains used by Iran’s agents to its “blocklist.”