Facebook Disrupts Iran-Based Espionage Hacking Group

(RFE/RL) — Facebook has disrupted a group of hackers in Iran behind “espionage operations” targeting mostly U.S. military personnel and companies in the defense and aerospace industries.

The social-media giant said in a blog post on July 15 that the group, known in the security industry as Tortoiseshell, used fake online personas to build trust in order to get targets to click on malicious links.

In many cases, the fictitious personas had profiles across multiple social-media platforms and they often posed as recruiters and employees in the defense industry.

“This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage,” Facebook said.

“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” it added.

Facebook’s investigation found that the malware was developed by Mahak Rayan Afraz (MRA), a company with ties to Iran’s Islamic Revolutionary Guards Corps (IRGC).

Some of the current and former figures at MRA have links to companies sanctioned by the United States.

In all, Facebook took down about 200 accounts linked to the Tortoiseshell group, which previously mainly focused on targeting the information technology industry in the Middle East.

Facebook said fewer than 200 users may have fallen for the trick and that those people have been notified. It also shared threat findings with internet industry peers and law enforcement.