Facebook blocks highly targeted Iran-linked hacking campaign
New link to Tehran: Facebook cyber experts determined that some of the hackers’ malware was developed by the Iranian IT company Mahak Rayan Afraz, which has ties to Iran’s Islamic Revolutionary Guard Corps.
“As far as I know, this is the first public attribution of the group’s malware to a vendor or front company with ties to [the] IRGC,” Dvilyanski said.
The targets: Tortoiseshell has traditionally targeted Middle Eastern IT companies. But in 2020, Dvilyanski said, it shifted its focus to aerospace and defense firms, mostly in the U.S. but also in Europe and Britain. With this hacking campaign, Tortoiseshell targeted fewer than 200 people.
The tactics: After posing as recruiters or fellow industry professionals, the hackers convinced victims to visit malicious websites that mimicked familiar domains. Some were for defense contractors, while one spoofed the U.S. Labor Department’s job search page. Other sites imitated email platforms to collect victims’ login credentials. In some cases, the hackers talked to their targets for months.
Many of the malicious sites collected information about victims’ computers, which helped the hackers deliver malware customized to individual victims, Facebook said.
The tools: Tortoiseshell is known to develop its own malware, including remote access trojans and keyloggers. In the latest campaign, it sometimes injected malware into Microsoft Excel spreadsheets.
Occasionally, Facebook said, the hackers used previously unseen malware that stored the results of its reconnaissance work in a hidden part of an Excel spreadsheet. Facebook surmised the hackers planned to trick their target into “saving and returning the file.”
The response: After deleting the hackers’ accounts and blocking people from posting their malicious links, Facebook notified suspected victims and shared technical data with industry and law enforcement partners.