If you’re a member of the US military who’s gotten friendly Facebook messages from private sector recruiters for months on end, suggesting a lucrative future in the aerospace or defense contractor industry, Facebook may have some bad news.
On Thursday, the social media giant revealed that it’s tracked and at least partially disrupted a long-running Iranian hacking campaign that used Facebook accounts to pose as recruiters, reeling in US targets with convincing social engineering schemes before sending them malware-infected files or tricking them into submitting sensitive credentials to phishing sites. Facebook says that the hackers also pretended to work in the hospitality or medical industries, in journalism, or at NGOs or airlines, sometimes engaging their targets for months with profiles across several different social media platforms. And unlike some previous cases of Iranian state-sponsored social media catfishing that have focused on Iran’s neighbors, this latest campaign appears to have largely targeted Americans, and to a lesser extent UK and European victims.
Facebook says it’s removed “fewer than 200” fake profiles from its platforms as a result of the investigation, and notified roughly the same number of Facebook users that hackers had targeted them. “Our investigation found that Facebook was a portion of a much broader espionage operation that targeted people with phishing, social engineering, spoofed websites and malicious domains across multiple social media platforms, email and collaboration sites,” David Agranovich, Facebook’s director for threat disruption, said Thursday in a call with press.
Facebook has identified the hackers behind the social engineering campaign as the group known as “Tortoiseshell,” believed to work on behalf of the Iranian government. The group, which has some loose ties and similarities to other better-known Iranian groups known by the names APT34 or Helix Kitten and APT35 or Charming Kitten, first came to light in 2019. At that time, security firm Symantec spotted the hackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the company’s customers with a piece of malware known as Syskit. Facebook has spotted that same malware used in this latest hacking campaign, but with a far broader set of infection techniques and with targets in the US and other Western countries instead of the Middle East.
Tortoiseshell also seems to have opted from the start for social engineering over a supply chain attack, starting its social media catfishing as early as 2018, according to security firm Mandiant. That includes far more than just Facebook, says Mandiant vice president of threat intelligence John Hultquist. “From some of the very earliest operations, they compensate for really simplistic technical approaches with really complex social media schemes, which is an area where Iran is really adept,” Hultquist says.
In 2019, Cisco’s Talos security division spotted Tortoiseshell running a fake veterans’ site called Hire Military Heroes, designed to trick victims into installing a desktop app on their PC that contained malware. Craig Williams, a director of Talos’ intelligence group, says that fake site and the larger campaign Facebook has identified both show how military personnel trying to find private sector jobs pose a ripe target for spies. “The problem we have is that veterans transitioning over to the commercial world is a huge industry,” says Williams. “Bad guys can find people who will make mistakes, who will click on things they shouldn’t, who are attracted to certain propositions.”
Facebook warns that the group also spoofed a US Department of Labor site; the company provided a list of the group’s fake domains that impersonated news media sites, versions of YouTube and LiveLeak, and many different variations on Trump family and Trump organization-related URLs.