HOUSTON: Facebook blocked a “sophisticated” online cyber espionage campaign conducted by hackers in Iran attempting to surveil western military, defence and aerospace personnel via its platform.

According to Facebook, a known group of Iranian hackers known as Tortoiseshell created fake online personas such as defence employees and recruiters on its platform to trick victims into inadvertently clicking on malicious links or files that would allow surveillance of their devices.

They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform various system commands to profile the victim’s machine in a manner very similar to the Liderc reconnaissance tool identified by researchers at Cisco. One previously unreported variant of the malicious tool was embedded in a Microsoft Excel document and was capable of writing the output (i.e. result of the system reconnaissance) to a hidden area of the spreadsheet, which presumably required an attacker to social engineer the target to trick them into saving and returning the file.

This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.

The campaign, running since 2020, targeted about 200 individuals in the military, defence and aerospace industries “primarily in the US, and to a lesser extent in the UK and Europe, the platform said. 

While Facebook has uncovered a handful of cyber espionage campaigns using its platform, such as one carried out by Chinese hackers to target pro-Uyghur activists and dissidents, the latest campaign marked the first targeting predominantly US citizens. 

Facebook attributed the attacks to the Iran-based group Tortoiseshell with a “high level of confidence”. Tortoiseshell is believed to have largely targeted sectors such as IT in the Middle East since about 2018.

Facebook found that a part of the malware deployed by the hackers was developed by Mahak Rayan Afraz, an IT company in Tehran “with ties to the Islamic Revolutionary Guard Corps”.