Iranian Hackers Target US Military Personnel on Facebook

Published · Jul 28, 2021

Facebook issued a warning and subsequent review about Iranian hackers targeting US military personnel on its platform. It appears the sizable campaign has been underway for the better part of a year.

The large-scale hacking campaign targets US military personnel, and to a lesser degree, individuals in America, the UK, and Europe. The victims work in a number of important industries, such as defense, aerospace, journalism, medicine, and nonprofit.

Facebook pinned the activity on a group known as “Tortoiseshell,” believed to be based in Tehran, Iran. Up until recently, it has mainly conducted cybercampaigns in the Middle East.

This FB attack illustrates an expansion of its activities.

Social Engineering and Spoofing

The hackers spent months setting up and operating a number of fake personas in order to “socially engineer” their targets.

This is a process by which one party attempts to subtly influence the behavior of others to achieve a goal. Phishing, as was used by Tortoiseshell, is a common form of social engineering.

Hackers posed as recruiters and employees of defense contractors, luring targets in with the promise of jobs.

They were very cautious with their approach. Instead of attempting to load malware through Facebook, the attackers directed their targets to several other domains. Many of them were spoofs—imitations—of legitimate sites.

The over 100 spoofed domains include fake versions of a US Department of Labor job search site, Microsoft, LiveLeak, various Trump organizations, and even SoundCloud.

The hackers even spoofed major email service providers to trick targets into clicking malware-infected links.

Microsoft Excel files were a common mode of transmission. The fake domains and malware were an attempt to steal login credentials to gain access to sensitive information and possibly even for ID theft to further the campaign’s reach.

The hackers maintained consistent personas over multiple accounts on different sites to increase their effectiveness and evade detection.

With attacks like this being increasingly common, it does pay to use tools like people search sites and background check services.

For its part, Facebook works to identify offending accounts and notify people it believes were targeted. Less than 200 people were warned, while under 200 malicious accounts were removed.

Garan van Rensburg
Garan van Rensburg

Garan is a writer interested in how tech reshapes the environment, and how the environment reshapes tech. You'll usually find him inoculating against future shock and arguing with bots.