The hackers ran a sophisticated operation to gain their victims’ trust, Facebook said, often posing as representatives of aerospace and defense firms to build deep relationships with their targets before directing them to fraudulent websites. Though the sites looked and acted like their legitimate counterparts — including a US Labor Department job site — they were designed to steal data and scan computer systems.
The group zeroed in on individuals who work in the US military and defense industry, and also targeted similar victims in the UK and Europe, Facebook said.
Mike Dvilyanski, Facebook’s head of cyber espionage investigations, told CNN the company has disabled “fewer than 200 operational accounts” on its platform associated with the Iranian campaign, and notified a similar number of Facebook users that they may have been targeted by the group. The Iranian campaign extended beyond Facebook and also used other platforms and messaging technologies including email, Facebook said. However, it’s difficult to know how successful the espionage campaign may have been.
Until now, the hacking group had been focused on regional targets in the Middle East, Facebook said. But the expansion to include Western targets reflects an evolution in the group’s behavior that began last year.
“Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months,” Facebook said in a blog post.
Once the hackers had gained entry into a target’s device, they shared more files such as fraudulent Microsoft Excel spreadsheets that contained hidden malicious software that could collect even more information, Facebook said. The malware showed signs of being highly customized — not an “off-the-shelf” product, said Dvilyanski — suggesting the hackers were well-supported. Further investigation showed that the malicious software had been designed by an Tehran-based software firm linked to Iran’s powerful Islamic Revolutionary Guard Corps, Facebook said.
On a conference call with reporters, Dvilyanski said Facebook’s cybersecurity group is “confident” about the connection between some of the malware used in the campaign and the IT firm, Mahak Rayan Afraz, and the link to the IRGC. A number of the IT firm’s current and former executives are also connected to other companies under US sanction, according to the Facebook blog post.
“As far as I know, this is the first public attribution of the groups’ malware” to an entity linked to the Iranian government, Dvilyanski told reporters on a conference call.
In addition to notifying its users who had been targeted by the campaign and disabling accounts belonging to the hackers, Facebook also blocked links on its platform to websites controlled by the group, it said.
The so-called “phishing” tactics used by the Iranian hackers have been replicated on a wide scale in recent months, with reports of a Russian campaign sending fake emails posing as the US Agency for International Development. On Wednesday, Google said a separate, likely Russian-backed campaign involved fake LinkedIn messages being sent to victims in a bid to compromise iOS devices. Apple patched the flaw in March.