If you are a member of the U.S. military who made friends Facebook messages from private sector recruiters for months hinting at a lucrative future in the aviation or defense industry, Facebook may have some bad news.
On Thursday, the social media giant revealed that it has been followed for a long time and at least partially disrupted Iranian a hacker campaign that used Facebook accounts to pose as recruiters, dragging American targets with compelling social engineering schemes before sending them files infected with malware or tricking them into submitting sensitive credentials to phishing websites. Facebook says hackers have pretended to work in the hospitality or medical industry, in journalism or in NGOs or airlines, sometimes engaging their targets for months with profiles on several different social media platforms. And unlike some previous Iranian-funded social media hunting cases that have focused on Iran’s neighbors, this latest campaign appears to have been mostly targeted at Americans, and to a lesser extent at victims of the UK and Europe.
Facebook says that as a result of the investigation, it removed “less than 200” fake profiles from its platforms and informed approximately the same number of Facebook users that they had been targeted by hackers. “Our investigation revealed that Facebook was part of a much broader spy operation targeting people with identity theft, social engineering, fraudulent websites and malicious domains on multiple social media platforms, email and collaboration sites,” David Agranovich said. Facebook’s director of thrift threats, he told reporters Thursday.
Facebook has identified the hackers behind the social engineering campaign as a group known as the “Turtle Shell,” which is believed to be acting on behalf of the Iranian government. The group, which has some loose ties and similarities with other more well-known Iranian groups known as APT34 or Helix Kitten and APT35 or Charming Kitten, first came to light in 2019. At the time, security company Symantec spotted hackers violation of Saudi Arabia’s IT vendors in an apparent supply chain attack designed to infect the company’s customers with a piece of malware known as Syskit. Facebook has noticed the same malware used in this latest hacking campaign, but with a far wider range of infectious techniques and targets in the U.S. and other Western countries instead of the Middle East.
Tortoiseshell seems to have opted for social engineering from the start because of the attack on the supply chain, starting its hunt on social media as early as 2018, according to security firm Mandiant. That includes much more than just Facebook, says Mandiant, vice president of intelligence John Hultquist. “From some of the earliest operations, they are replacing really simplified technical approaches to really complex social media schemes, which is an area where Iran is really skilled,” Hultquist says.
In 2019, Cisco’s Talos security service spotted Tortoiseshell running a fake veterans website called Hire Military Heroes, designed to trick victims into installing a malware application on their computer. Craig Williams, director of Talos’ intelligence group, says the fake page and larger campaign identified by Facebook show how military personnel trying to find work in the private sector are a mature target for spies. “The problem we have is that veterans moving into the commercial world are a huge industry,” Williams says. “Bad guys can find people who will make mistakes, who will click on things they shouldn’t, that attract certain suggestions.”
Facebook warns that the group also falsified the U.S. Department of Labor website; the company provided a list of fake domain groups that posed as news media sites, versions of YouTube and LiveLeak, and many different variations on the Trump family and URLs associated with the Trump organization.