Iran appears to be stepping up its efforts to exploit US and Western targets in cyberspace and is running a campaign aimed at manipulating American military personnel and defense companies on social media.
Tehran’s most recent campaign, orchestrated by a group called Tortoiseshell on Facebook, used a series of elaborate, fake online personas to contact US soldiers and employees of large defense companies in order to infect their computers with malware and extract information.
“This activity was characterized by a well-equipped and sustained operation, while it relied on relatively strong operational security measures to hide who was behind it,” Facebook said in a blog post Thursday, calling it part of a “much broader cross-platform cyber” . Espionage. “
Defense workers in the UK and other European countries have also been targeted.
“These accounts often posed as recruiters and employees of defense and aerospace companies in the countries where their targets were located,” Facebook said. “Others claimed to work in hospitality, medicine, journalism, NGOs and airlines.”
And the hackers were in no hurry.
“Our research found that this group invested a lot of time in their social engineering efforts over the Internet and, in some cases, spent months working on their goals,” said Facebook. “They used various collaboration and messaging platforms to move conversations off the platform and send malware to their targets.”
Facebook said it had notified users who appeared to have been attacked, removed the fake accounts, and blocked the malicious domains from spreading.
The social media company said it was able to trace activity in Iran, in part due to the signature malware known to be developed by Mahak Rayan Afraz, a Tehran-based company with ties to the Iranian Islamic Revolutionary Guard Corps.
Mandiant Threat Intelligence, a privately held cybersecurity firm, said Thursday that it agreed with Facebook’s assessment that Iran, and the IRGC in particular, were behind the campaign.
Tortoiseshell “has targeted individuals and organizations associated with US military and information technology providers in the Middle East for at least 2018,” said Sarah Jones, Mandiant’s senior principal analyst, in an email.
Jones also said it was noteworthy that some of the fake domains related to the Iranian campaign used the name of former US President Donald Trump, including “trumphotel[.]net “,” trump organization[.]World “and” Trump organizations[.]com “.
“Domains like this could indicate social engineering related to US political issues,” said Jones. “We have no evidence that these domains were operationalized or used to attack anyone associated with the Trump family or the properties.”
Facebook, which discovered the hacking campaign, did not comment on whether Iran managed to steal critical or sensitive data.
US military officials also refused to talk about what, if anything, the Iranian hackers were able to steal.
“For reasons of operational security, the US Cyber Command does not discuss operations, secret services and cyber planning,” a spokesman told VOA.
“The threats posed by social media interactions are not limited to any particular social media platform, and Department of Defense staff must be careful when engaging in online activities,” the spokesman added.
US intelligence agencies are increasingly concerned about Iran’s growing capabilities and aggressiveness in cyberspace.
In its annual global threat assessment published in April, the Office of the Director of the National Intelligence Service identified Tehran as “a significant threat to the security of US and allied networks and data.”
“We assume that Tehran is focusing on covert online influences such as spreading disinformation about fake threats or compromised electoral infrastructure and relaying anti-US content,” the report said.
Earlier this year, US intelligence also accused Iran of interfering in the 2020 US presidential election and of conducting a “multi-pronged covert campaign of influence intended to undermine the prospects of re-election of former President Trump.”
USA: Russia, Iran to interfere in November elections; China withheld
The U.S. intelligence released assessment concludes that Beijing believed the risk of getting caught outweighed the benefits of winning Biden in the White House
US officials said part of that effort was hacking voter registration systems in at least one US state and using the information to send threatening emails to potential voters.
US confirms hacked Iran voter registration data in 1 state
Officials describe the hack as part of a broad Iranian campaign and warn that while Tuesday’s elections remain safe, more attacks are coming
Recently, cybersecurity firm Proofpoint, a separate Iranian hacker collective with ties to the IRGC known as TA453 and Charming Kitten, pretended to be UK university professors in an attempt to steal information and research from think tanks and academics.
Iranian hackers pose as British scholars to target experts
Researchers say they have “high confidence” in the hackers’ support of the Iranian Revolutionary Guard’s intelligence efforts