Iranian Hackers Targeted Western Militaries

On July 15, Facebook took down nearly 200 fake accounts used by Iranian hackers to target U.S., British and European military and defense personnel. The group, named Tortoiseshell by the cybersecurity company Symantec, sought to infect the computers of victims with malware and steal their login information. The malware used by the hackers was developed by Mahak Rayan Afraz (MRA), “an [information technology] company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC),” according to Facebook’s cybersecurity team. “Some of the current and former MRA executives have links to companies sanctioned by the U.S. government.”

The Iranian hackers posed as recruiters for the defense and aerospace industries, as well as employees in the hospitality industry, medicine, journalism, non-government organizations (NGOs) and civilian airliners. They reached out to their targets online “to build trust and trick them into clicking on malicious links,” Facebook said. The cyber operation was not limited to fake Facebook accounts. Hackers communicated with their targets over email and other online messaging services, sometimes for months at a time. The hackers exploited a vulnerability in Microsoft Excel that infected the computers of victims with malware when spreadsheets were opened. “This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said.

The Iranian hackers also ran several fake job recruiting websites – including one that mimicked the U.S. Department of Labor's job search website – to fool victims into entering their log in credentials. They spoofed email and web addresses for the U.S. Treasury, major media companies (BBC, CNBC, CNN, the Guardian and Thomson Reuters), technology companies (Facebook, Google, Microsoft and YouTube) and even the Trump Organization: the business conglomerate owned by former President Donald Trump. Facebook blocked the email and web addresses from being shared on its social media platforms and notified the "fewer than 200" hacking victims.

The U.S. military did not disclose who had been affected by the hack or what information was stolen. “For operational security purposes, U.S. Cyber Command does not discuss operations, intelligence and cyber planning,” a Pentagon spokesperson told Voice of America. “The threats posed by social media interactions are not unique to any particular social media platform and Department of Defense personnel must be cautious when engaging online.”

Tortoiseshell has been active as early as July 2018, but it was first discovered by Symantec in September 2019. The hackers infected several hundred computers used by Saudi Arabian IT providers with the same malware later used in the Facebook operation. Tortoiseshell also created a fake jobs website for American military veterans called “Hire Military Heroes,” Cisco Talso reported in late September 2019. The website asked visitors to download an app that infected their computer with malware. The following is Facebook’s announcement of its cybersecurity action.

 

Facebook Statement on July 15, 2021: “Facebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.

“Today, we’re sharing actions we took against a group of hackers in Iran to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and conduct espionage operations across the internet, targeting primarily the United States. This group is known in the security industry as Tortoiseshell, whose activity was previously reported to mainly focus on the information technology industry in the Middle East. In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe. This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.

“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it. Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and the group’s activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing the malware itself.

“We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:

Social engineering: In running its highly targeted campaign, Tortoiseshell deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links. These fictitious personas had profiles across multiple social media platforms to make them appear more credible. These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. They leveraged various collaboration and messaging platforms to move conversations off-platform and send malware to their targets. Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months.

Phishing and credential theft: This group created a set of tailored domains designed to attract particular targets within the aerospace and defense industries. Among them were fake recruiting websites for particular defense companies. They also set up online infrastructure that spoofed a legitimate US Department of Labor job search site. As part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links. These domains appeared to have been used for stealing login credentials to the victims’ online accounts (e.g. corporate and personal email, collaboration tools, social media). They also appeared to be used to profile their targets’ digital systems to obtain information about people’s devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware.

Malware: This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers. Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years. They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform various system commands to profile the victim’s machine in a manner very similar to the Liderc reconnaissance tool identified by researchers at Cisco. One previously unreported variant of the malicious tool was embedded in a Microsoft Excel document and was capable of writing the output (i.e. result of the system reconnaissance) to a hidden area of the spreadsheet, which presumably required an attacker to social engineer the target to trick them into saving and returning the file.

Outsourcing malware development: We’ve observed this group use several distinct malware families. Our investigation and malware analysis found that a portion of their malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some of the current and former MRA executives have links to companies sanctioned by the US government.

“We shared our findings and threat indicators with industry peers so they too can detect and mitigate this activity. To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.

 

Threat Indicators

Domains:

  • 1st-smtp2go[.]email
  • 2nd-smtp2go[.]email
  • 3rd-smtp2go[.]email
  • 4th-smtp2go[.]email
  • accounts[.]cam
  • activesessions[.]me
  • adobes[.]software
  • alhds[.]net
  • apppure[.]cf
  • bahri[.]site
  • bbcnews[.]email
  • bitly[.]cam
  • biturl[.]cx
  • brdcst[.]email
  • careeronestop[.]site
  • cc-security-inc[.]email
  • ccsecurity-mail-inc[.]email
  • ccsecurity-mail-inc[.]services
  • citymyworkday[.]com
  • cityofberkeley[.]support
  • cnbcnews[.]email
  • cnnnews[.]global
  • codejquery-ui[.]com
  • com-account-challenge[.]email
  • com-signin-v2[.]email
  • comlogin[.]online
  • comlogin[.]services
  • copyleft[.]today
  • crisiswatchsupport[.]shop
  • datacatch[.]xyz
  • dayzim[.]org
  • dh135[.]world
  • dollrealdoll[.]com
  • dollrealdoll[.]online
  • entrust[.]work
  • erictrumpfundation[.]com
  • facebookservices[.]gq
  • fblogin[.]me
  • fileblade[.]ga
  • findcareersatusbofa[.]com
  • fiservcareers[.]com
  • goodreads[.]rest
  • googl[.]club
  • gropinggo[.]com
  • hex6mak5z98nubb9vpd6t36cydkncfci9im872qx6hjci2egx8irq3qyt9pj[.]online
  • hike[.]studio
  • hiremilitaryheroes[.]com
  • hosted-microsoft[.]com
  • iemail[.]today
  • incognito[.]today
  • infoga[.]cam
  • iqtel[.]org
  • irtreporter[.]com
  • itiee[.]life
  • itieee[.]life
  • jessicamcgill[.]life
  • jqueryui-code[.]com
  • jumhuria[.]com
  • kartick[.]net
  • kaspersky[.]team
  • linkgen[.]me
  • linksbit[.]com
  • linq[.]ink
  • liveleak[.]cam
  • liveuamap[.]live
  • lockheedmartinjobs[.]us
  • loginaccount[.]email
  • logonexchangeonline[.]com
  • logonmicrosoftonline[.]com
  • lskjirn[.]life
  • mail2go[.]live
  • mail2go[.]online
  • mail2u[.]live
  • mailaccountlive[.]email
  • mailaccountlive[.]support
  • mailpublisher[.]live
  • mails[.]center
  • metacafe[.]live
  • micorsoftonilne[.]com
  • micorsoftonline[.]website
  • micorsoftonline[.]xyz
  • microsoftoffice[.]systems
  • microsoftonilne[.]cloud
  • mispace[.]cam
  • msol[.]live
  • msonline[.]live
  • mssecurityaccount[.]online
  • mydomainxyz[.]xyz
  • news-smtp2go[.]email
  • newsl[.]ink
  • noreplay[.]email
  • novafile[.]tk
  • onpointcorp[.]co
  • outlook-services[.]com
  • outlookservices[.]live
  • outlookservices[.]me
  • outube[.]live
  • pic-shareonline[.]com
  • pixlr[.]live
  • pixlr[.]myftp[.]org
  • post-jquery[.]com
  • prefiles[.]ml
  • publicsgroupe[.]net
  • pwutc[.]live
  • rali[.]live
  • recruitme[.]international
  • robotics[.]land
  • sabic[.]work
  • sandsngo[.]com
  • saudivisions2030[.]org
  • securityaccountreply[.]com
  • seery[.]online
  • sendblaster[.]org
  • sender[.]gb[.]net
  • shareae[.]cf
  • shlink[.]run
  • shlnk[.]run
  • short-l[.]link
  • shortli[.]live
  • shrt[.]rip
  • shur[.]live
  • shurl[.]site
  • site1[.]life
  • smtp-2go[.]com
  • smtp2go[.]best
  • smtp2go[.]club
  • smtp2go[.]email
  • smtp2go[.]fun
  • smtp2go[.]icu
  • smtp2go[.]live
  • smtp2go[.]me
  • smtp2go[.]pw
  • smtp2go[.]site
  • smtp2go[.]space
  • smtp2go[.]website
  • smtper[.]center
  • smtptogo[.]pw
  • soc-usa[.]email
  • soundcloud[.]fun
  • soundcloud[.]live
  • spreadme[.]international
  • src-ymlang[.]link
  • support-securitymail[.]email
  • support-ymail-team[.]online
  • surl[.]ist
  • surl[.]live
  • sxk8xrjtaikv3dxl7hgghw3vptvxpzzxeynrcltu4k3yeecjq3[.]online
  • systembackend[.]site
  • techmahindra[.]support
  • teleweb[.]world
  • tetra[.]email
  • thegardian[.]ml
  • thegaurdian[.]live
  • thomsonsreuters[.]email
  • thomsonsreuters[.]eu
  • thomsonsreuters[.]link
  • thomsonsreuters[.]net
  • tinil[.]ink
  • tinly[.]me
  • tinylink[.]pro
  • tinyurl[.]gold
  • tiwpan[.]xyz
  • tox[.]cheap
  • treasury[.]email
  • treporter[.]com
  • trumphotel[.]net
  • trumpnationallosangeles[.]email
  • trumporganization[.]world
  • trumporganizations[.]com
  • tv-youtube[.]com
  • uploaderfile[.]cf
  • usdailypost[.]com
  • usdailypost[.]net
  • usdp[.]news
  • vps[.]limited
  • watch-youtube[.]com
  • wikileaks[.]email
  • workshopplatform[.]network
  • xn--rumphotels-vcc[.]com
  • xn--twitte-u9a[.]com
  • xyzsitexyz[.]xyz
  • ymail-account[.]support
  • ymail-security-support[.]email
  • ymail-security[.]support
  • ymailaccounts[.]us
  • ymailsupport[.]info
  • zain[.]network