Iran appears to be intensifying its effort to exploit U.S. and Western targets in cyberspace, running a campaign aimed at manipulating American military personnel and defense companies on social media.
Tehran’s latest campaign, orchestrated on Facebook by a group known as Tortoiseshell, used a series of sophisticated, fake online personas to make contact with U.S. servicemembers and employees of major defense companies in order to infect their computers with malware and extract information.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said Thursday in a blog post, calling it part of a “much broader cross-platform cyber espionage operation.”
Employees of defense companies in the U.K. and other European countries were also targeted.
“These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in,” Facebook said. “Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines.”
And the hackers were in no hurry.
“Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months,” Facebook said. “They leveraged various collaboration and messaging platforms to move conversations off-platform and send malware to their targets.”
Facebook said it has notified users who appeared to have been targeted, took down the fake accounts and blocked the malicious domains from being shared.
The social media company said it was able to trace the activity to Iran, in part because of the distinctive malware, known to have been developed by Mahak Rayan Afraz, a Tehran-based company with links to Iran’s Islamic Revolutionary Guard Corps.
Mandiant Threat Intelligence, a private cybersecurity company, said Thursday that it agreed with Facebook’s assessment that Iran, and the IRGC in particular, was behind the campaign.
Tortoiseshell “has historically targeted people and organizations affiliated with the U.S. military and information technology providers in the Middle East since at least 2018,” Mandiant Senior Principal Analyst Sarah Jones said in an email.
Jones also said it was noteworthy that some of the fake domains associated with the Iranian campaign used the name of former U.S. President Donald Trump, including, “trumphotel[.]net”, “trumporganization[.]world”, and “trumporganizations[.]com”.
“Domains such as these could suggest social engineering associated with U.S. political topics,” Jones said. “We have no evidence that these domains were operationalized or used to target anyone affiliated with the Trump family or properties.”
Facebook, which discovered the hacking campaign, did not comment on whether Iran managed to steal any critical or sensitive data.
U.S. military officials also declined to speak about what, if anything, the Iranian hackers were able to steal.
“For operational security purposes, U.S. Cyber Command does not discuss operations, intelligence and cyber planning,” a spokesperson told VOA.
“The threats posed by social media interactions are not unique to any particular social media platform and Department of Defense personnel must be cautious when engaging online,” the spokesperson added.
U.S. intelligence officials have been increasingly concerned about Iran’s growing capabilities and aggressiveness in cyberspace.
In its annual Worldwide Threat Assessment, published in April, the Office of the Director of National Intelligence called Tehran “a significant threat to the security of U.S. and allied networks and data.”
“We expect Tehran to focus on online covert influence, such as spreading disinformation about fake threats or compromised election infrastructure and recirculating anti-U.S. content,” the report said.
The U.S. intelligence community, earlier this year, also accused Iran of meddling in the 2020 U.S. presidential election, carrying out a “multi-pronged covert influence campaign intended to undercut former President Trump’s reelection prospects.”
U.S. officials said part of that effort involved hacking voter registration systems in at least one U.S. state and using the information to send prospective voters threatening emails.
More recently, the cybersecurity firm Proofpoint said a separate Iranian hacker collective with ties to the IRGC, known as TA453 and Charming Kitten, posed as British university professors to steal information and research from think tanks and academics.