Facebook Disrupts Iranian APT Campaign'Tortoiseshell' Group Used the Social Network to Contact Targets
Facebook's threat intelligence team says it has disrupted an Iranian advanced persistent threat group that was using the social network as part of an effort to spread malware and conduct cyberespionage operations, primarily in the U.S.
Mike Dvilyanski, Facebook's head of cyberespionage investigations and David Agranovich, director of threat disruption at Facebook, report that the APT group dubbed Tortoiseshell plotted to target military personnel and companies in the defense and aerospace industries in the U.S. - and to a lesser extent in the U.K. and Europe.
"This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it," the Facebook team says.
Facebook blocked the malicious domains the group created from being shared on its platform, took down the group's accounts and notified those believed to have been targeted by the APT group.
The social media company says its platform was being used in Tortoiseshell's broader cross-platform cyberespionage operation. The APT group's activity on Facebook focused on social engineering, attempting to lure users off the social network, where they could be exposed to malware, rather than sharing the malware on Facebook.
FireEye, which tracks Tortoiseshell as UNC1833, says that since 2018, the group has primarily focused its efforts on Middle Eastern targets. It’s associated with another Iranian APT group, APT35, FireEye reports.
"Iran is still an aggressive cyber actor that shouldn't be ignored. Though a lot of their activity is focused on the Middle East, they are not limited to their region," says Sarah Jones, senior principal analyst with Mandiant Threat Intelligence.
Facebook says the Tortoiseshell gang created fake online personas when contacting targets, sometimes engaging them for months.
"These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines," Facebook says.
The APT group created dozens of fake domains designed to appeal to people from across a wide variety of industries and interests, Facebook says. These included five URLs containing the name "Trump." Other fake sites spoofed defense contractors, U.S. Labor Department career sites and email providers.
Tortoiseshell used the fake domains as bait to lure its targets off of Facebook so it could conduct espionage, steal information or spread malware, Facebook says.
"These domains appeared to have been used for stealing login credentials to the victims' online accounts (e.g., corporate and personal email, collaboration tools, social media)," Facebook says. "They also appeared to be used to profile their targets' digital systems to obtain information about people's devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware."
Facebook believes the group used custom malware that included full-featured remote access Trojans, device and network reconnaissance tools and keystroke loggers. Some of the malware used was developed by the Tehran IT company Mahak Rayan Afraz, which has ties to the Islamic Revolutionary Guard Corps, Facebook says.
On Wednesday, Proofpoint described another Iranian phishing attack operated by TA453, also known as Charming Kitten, that had the goal of obtaining information about foreign policy, insights into Iranian dissident movements and an understanding of U.S. nuclear negotiations.