Facebook said on Thursday that it had deleted about 200 accounts operated by a group of hackers in Iran as part of a cyber espionage operation that targeted U.S. military personnel and personnel working in defense and aerospace companies.

The social media giant stated that the organization, called “tortoiseshell” by security experts, uses fake online personas to connect with targets, sometimes building trust over a period of months and taking them to other websites, where They were tricked into clicking on malicious links to infect their devices with spyware.

Facebook’s investigation team stated in a blog post: “This activity is characterized by rich resources and continuous operation, while relying on strong operational security measures to hide behind the scenes.”

Facebook stated that the organization created fictitious profiles on multiple social media platforms to make it look more credible, often posing as recruiters or employees of aerospace and defense companies. Microsoft’s LinkedIn said it has deleted some accounts, and Twitter said it is “actively investigating” the information in the Facebook report.

Facebook stated that the organization uses email, messaging, and collaboration services to distribute malware, including through malicious Microsoft Excel spreadsheets. A Microsoft spokesperson said in a statement that it knew and tracked the and took action when malicious activity was detected.

Alphabet’s Google said it has detected and prevented phishing on Gmail and issued a warning to its users. Slack, the workplace messaging app, said it has taken action to ban hackers who use the site for social engineering and close all workplaces that violate its rules.

See also  As Coronavirus surveillance escalates, personal privacy plummets

Facebook stated that hackers also used customized domain names to attract their targets, including providing fake recruitment websites for defense companies and establishing online infrastructure to deceive the legitimate job search websites of the US Department of Labor.

Facebook stated that hackers have targeted some people in the United States, the United Kingdom, and Europe in an activity that began in mid-2020. It declined to disclose the name of the company whose employees were targeted, but its head of cyber espionage, Mike Dvyanski, said it was notifying “less than 200 people” to be targeted.

Facebook said that the event seems to indicate that the organization’s activities are expanding. Previously, there were reports that the organization’s activities were mainly concentrated in IT and other industries in the Middle East. The investigation found that part of the malware used by the organization was developed by Mahak Rayan Afraz (MRA), a company located in Tehran and linked to the Islamic Revolutionary Guard Corps.

Reuters could not immediately find the contact information of Mahak Rayan Afraz, and the company’s former employees did not immediately respond to messages sent via LinkedIn. The mission to the United Nations in New York did not immediately respond to a request for comment.

MRA’s alleged connection with national cyber espionage is not new. Last year, network security company Recorded Future stated that MRA was one of several contractors suspected of serving the elite Quds Force of the Islamic Revolutionary Guard Corps.

government spies — like other espionage services — have long been suspected of handing off their tasks to a large number of domestic contractors.

See also  BMW will reduce emissions in Europe by 20% by 2020

Facebook said it has blocked the sharing of malicious domains, and Google said it has added these domains to its “block list.”

© Thomson Reuters 2021