Hackers from Iran used Facebook to spy on US, UK & EU military personnel says firm

Social media giant Facebook on Friday revealed that it has taken down at least 200 accounts that were operated by Iranian hackers to target US military, defence and aerospace personnel. It revealed that the Iranian hackers that are also known as Tortoiseshell, maliciously identify their targets and then infect their gadgets by enabling espionage tools. "In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defence and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe," said Facebook in a blog post.

Hackers pose as recruiters and defence employees to lure targets

The investigating team revealed that Iran based hackers have been using four tactics, techniques and procedures (TTPs) to hit their targets-- Social engineering, phishing and credential theft, malware and outsourcing malware development. While explaining their modus operandi, the social media giant said that the hackers deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links. These fictitious personas had profiles across multiple social media platforms to make them appear more credible. These accounts often posed as recruiters and employees of defence and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. The group invested significant time into their social engineering, in some cases engaging with their targets for months.

Iranian hackers install malware for remote access 

They also set up online infrastructure that spoofed a legitimate US Department of Labor job search site. As part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links. The group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers.

Malware developed by Tehran based IT company

"They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform various system commands to profile the victim’s machine in a manner very similar to the Liderc reconnaissance tool identified by researchers at Cisco," added the Facebook statement. "The investigation and malware analysis also found that a portion of their malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some of the current and former MRA executives have links to companies sanctioned by the US government."