Fri | Jul 16, 2021 | 1:44 PM PDT

What comes to mind when you think about Facebook?

Privacy violations? Angry rants about politics? Maybe you picture funny memes and birthday wishes. 

Now you can add this one: nation-state cyber actors using the platform to distribute malware and conduct espionage operations.

Facebook threat intelligence analysts just took action against a group of hackers, based in Iran, who were targeting key people in the United States.

The group, known in the security industry as Tortoiseshell, shifted from targeting the IT industry in the Middle East to targeting the U.S. military-industrial sector. According to Facebook:

"In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe.

This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage."

In other words, they used Facebook as a technique to spy on U.S. citizens, specifically employees who have information that Iran desperately wants.

What tactics did the Iranian cybercrime group use?

Facebook says the observed activity is a sign that the group runs a well-resourced and persistent operation—one that relies on strong operational security, hiding whoever is behind it.

The group used Facebook as a platform to carry out its cyber espionage campaign with four main tactics, techniques, and procedures (TTPs). They are as follows:

Social engineering

"In running its highly targeted campaign, Tortoiseshell deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links. These fictitious personas had profiles across multiple social media platforms to make them appear more credible.

These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. They leveraged various collaboration and messaging platforms to move conversations off-platform and send malware to their targets.

Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months."

Phishing and credential theft

"This group created a set of tailored domains designed to attract particular targets within the aerospace and defense industries. Among them were fake recruiting websites for particular defense companies. They also set up online infrastructure that spoofed a legitimate US Department of Labor job search site.

As part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links. These domains appeared to have been used for stealing login credentials to the victims’ online accounts (e.g. corporate and personal email, collaboration tools, social media).

They also appeared to be used to profile their targets' digital systems to obtain information about people's devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware."


"This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers. Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they've used for years.

They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform various system commands to profile the victim's machine in a manner very similar to the Liderc reconnaissance tool identified by researchers at Cisco.

One previously unreported variant of the malicious tool was embedded in a Microsoft Excel document and was capable of writing the output (i.e. result of the system reconnaissance) to a hidden area of the spreadsheet, which presumably required an attacker to social engineer the target to trick them into saving and returning the file."

Outsourcing malware development

"We've observed this group use several distinct malware families. Our investigation and malware analysis found that a portion of their malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some of the current and former MRA executives have links to companies sanctioned by the US government."

Yes, there are memes and birthday wishes on Facebook, along with plenty of political "discussions." But there are also threat actors leveraging the world's leading social media platform.

For more detailed and technical information, you can read Facebook's report, Taking Action Against Hackers in Iran.