Connect with us

Hi, what are you looking for?


Application Security

Facebook: Iranian Hackers Target Military, Aerospace Entities in the US

An Iran-linked hacking group tracked as Tortoiseshell has expanded its list of targets to newer industries and more geographies, according to a new warning from Facebook’s security team.

An Iran-linked hacking group tracked as Tortoiseshell has expanded its list of targets to newer industries and more geographies, according to a new warning from Facebook’s security team.

Recent activity that Facebook associated with the group focused on military personnel, defense organizations, and aerospace entities primarily in the United States and, to a lesser extent, the U.K. and Europe, showing an escalation of the group’s cyberespionage activities.

Active since at least 2018, Tortoiseshell was previously observed targeting information technology organizations in the Middle East, mostly in Saudi Arabia, with the Syskit backdoor, which was designed to collect various information from the compromised machines and send it to its command and control (C&C) server.

In 2019, Cisco Talos uncovered a Tortoiseshell campaign targeting military veterans in the United States, using the same backdoor previously associated with the group. The hackers deployed a fake website claiming to help veterans find jobs, but instead attempted to infect their devices with spying tools and other malicious programs.

Today, Facebook revealed that it took action against similar attacks from the Iranian hacking group, which leveraged its online platform to lure victims into downloading malware. The campaign continued to focus on U.S. targets, but expanded to the U.K. and Europe as well.

[ Related: Iranian Hackers Impersonate British Scholars in Recent Campaign ]

The activity observed bfy Facebook was part of a wider, cross-platform cyber espionage operation that leveraged the social media platform for social engineering rather than direct malware delivery. Victims were then lured off-platform for infection.

“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook says.

Advertisement. Scroll to continue reading.

In support of the attacks, Tortoiseshell created sophisticated fake online personas – with profiles across multiple platforms – to engage with the intended victims and lure them into accessing malicious links. The personas employed various collaboration and messaging platforms and in some cases conducted months-long conversations with their targets.

The hackers were posing as recruiters and employees of defense and aerospace companies, as journalists, or as employees of NGOs and organizations in hospitality, medicine, and airline industries.

The hackers also deployed multiple domains tailored to specific targets in the aerospace and defense industries, including recruiting portals, a website that spoofed a legitimate US Department of Labor job search site, and domains that spoofed major e-mail providers and URL-shortening services.

The threat actor also used custom malware tools such as remote-access Trojans, reconnaissance tools, and keyloggers, including modified versions of the Syskit backdoor, Facebook says.

One of the malware used by the group is believed to have been developed by Tehran-based IT company Mahak Rayan Afraz (MRA), which appears to be tied to the Islamic Revolutionary Guard Corps (IRGC), Facebook also notes.

Related: Iranian Hackers Impersonate British Scholars in Recent Campaign

Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...