Facebook exposes Iranian cyber-spying operation targeting US

Facebook exposed on Thursday an Iranian cyber-spying operation that went after U.S. military personnel and people working at defense and aerospace companies.  

The tech giant said that group of Iranian hackers, known as Tortoiseshell, created fake social media profiles, and sent targeted malicious links to victims. 

The links that aimed to infect devices to enable espionage, used different tactics including setting up fake job recruiting sites. Facebook said the hackers tried to direct people to other websites, email, or messaging services. 

The cyber criminals claimed to work in other areas, such as pharmaceuticals, journalism, and the airline industry. Hackers also imitated a U.S. Department of Labor job search site in what Facebook said appeared to be an effort to steal login information to the victims’ online accounts, including social media and corporate email. 

They also tried to trick targets into downloading malware onto their Windows PCs. This included an attempt to get individuals to download malicious Microsoft Excel spreadsheets that would allow the hackers to carry out various system commands on the computer. 

In parallel, search engine giant Google said it had detected and blocked phishing on Gmail and issued warnings to its users. Workplace messaging app Slack Technologies Inc. said it had acted to take down the hackers who used the site for social engineering and shut down all workspaces that violated its rules. 

Facebook’s head of cyberespionage investigations, Mike Dvilyanski, and its director of threat disruption, David Agranovich, wrote an explanatory blog post about the cyber-spying operation.  

“Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and the group’s activity on Facebook manifested primarily in social engineering and driving people off-platform, rather than directly sharing the malware itself,” Agranovich wrote.  

Facebook said it found that some of the malware was developed by an Iranian IT company known as Mahak Rayan Afraz with ties to the Islamic Revolutionary Guard Corps. 

In addition to notifying users who had been targeted by the campaign and disabling accounts belonging to the hackers, Facebook also blocked links on its platform to websites controlled by the group. 

Hackers also targeted people in the U.K. and Europe, the social network said. 

It’s worth noting that an American cybersecurity company, published a report on Tuesday identifying an Iranian hacker cell that targeted British experts to steal information.