Facebook disrupts Iranian group targeting US defense and aerospace sectors

Facebook said today it disrupted and took down accounts on its platform that were being used by an Iranian cyber-espionage network to go after employees working at US defense and aerospace companies.

In a press call today, executives from the Facebook security team said the group operated by registering accounts on Facebook for fake personas.

"These fictitious personas had profiles across multiple social media platforms to make them appear more credible," said Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption at Facebook.

"These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs, and airlines," the two added.

In order to avoid Facebook's URL and malware scanning capabilities, the Iranian operators would often try to move conversations with their would-be targets to other platforms in order to trick them into accessing phishing sites or downloading malware.

Dvilyanski and Agranovich said that based on the tools and infrastructure the threat actor used during their recent campaign, Facebook's security analysts were able to link this activity to a cyber-espionage group already known in the cybersecurity industry as Tortoiseshell.

Active since 2018, this group was primarily known for orchestrating IT supply chain attacks against Middle Eastern companies, according to a 2019 Symantec report.

Facebook said that based on their findings, the group now appears to have expanded operations globally.

Under 200 Facebook users targeted globally

Dvilyanski told the press today that the recent Tortoiseshell activity primarily targeted the defense and aerospace sectors in the US, but that the group also sparingly targeted employees working for EU and UK companies.

The Facebook exec said the company removed fewer than 200 accounts operated by the group and notified fewer than 200 targeted individuals.

Agranovich told reporters today that they don't have solid evidence to link the hacking group to an Iranian government entity.

Nonetheless, the Facebook exec said his team's investigation into the group's hacking tools found "that a portion of their malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC)."

The MRA has been known to be a contractor for Iran's cyber program already, based on this 2020 Recorded Future report [PDF], but Agranovich told reporters today that this is the first time the MRA is linked to a specific cyber-espionage group.

Indicators of compromise (IOCs) associated with this campaign are available in Facebook's report here.