Iranian hackers posed as young and attractive women on Facebook to communicate with attackers, defense personnel and US military personnel and attack their computers.
Facebook said this is a clear expansion of the Turtle Shell group, which it is believed to operate out of Tehran as it previously focused on IT industry targets in the Middle East. It targeted not only US defense personnel, but also those working in aerospace and defense, medicine, journalism, nonprofits and airlines in the US, Europe and the UK. The group spent months building relationships with their targets and matching characters on other social media sites outside of Facebook.
Facebook said less than 200 people were targeted and fewer than 200 accounts used by the group were deleted. The attacks began in 2020.
The purpose of the espionage campaign was to gather information about Tortoiseshell targets and attempt to obtain login credentials for corporate accounts. In one case, they set up fake recruitment sites like ours at
lockheedmartinjobs for defense companies. In another, a legitimate US Department of Labor job search site was scammed. Other domains registered by the group showed up on the hit list of major media outlets, including cnnnews[.]Global, bbcnews[.]email. Tortoiseshell hackers could gain access to these sites if the targets had been set and login information entered on the fake sites. password.
Facebook Warning: U.S. Military Targeted By Iranian Hackers Posing As Attractive Women:
They tried to trick targets into downloading malware on Windows computers. This includes an attempt to download malicious Microsoft Excel spreadsheets that allow individuals to execute various system commands on a computer.
Facebook said part of its research and malware analysis was prepared by Mahak Ryan Afraz (MRA), an IT firm affiliated with the Islamic Revolutionary Guard Corps (IRGC) in Tehran. Mike Dvilyanski, head of cyberespionage research, claimed it was the first feature of the group, though he wasn’t able to provide more information on how he discovered the links or about the MRA.
The company was first mentioned last year by the Iranian government as a contractor in a report by Recorded Future, a US cyber-intelligence firm, on Iran’s online espionage activities. No further details were given about the MRA, except that he was one of a handful of people who served “many government agencies” by “self-proclaimed anti-government sources.”
Forbes reviewed the domain records of the company’s website, which was founded in 2013 but shut down three years later. The website record shows he was in Tehran. A 2014 screenshot of the site points to a very basic security company. An attempt was made to reach the company via the e-mail address of the website, but no response was received.
Get connected with ReportingHour
News via@ Forbes