23 July 2021, Kathmandu
Facebook revealed that it tracked and partly disrupted a cyber espionage campaign launched by Iranian hackers, collectively mentioned as Tortoiseshell or Imperial Kitten.
On Thursday, Facebook said that it had taken down about 200 accounts travel by a gaggle group of hackers in Iran as part of a cyber spying operation that targeted mostly US military personnel and other people performing at defense and aerospace companies.
The hackers impersonated recruiters to lure U.S. targets with compelling social engineering schemes. The hackers did the social engineering schemes by sending malware-laced files or deceiving the victims into submitting credentials to phishing sites. Besides, the attackers also imitated personnel from the hospitality and medical sectors, NGOs, and airlines. Though the campaign has mostly targeted U.S. citizens, few European victims have also been affected by this campaign.
Facebook said the hackers mostly targeted people in the US, as well as some in the UK and Europe, during a campaign running since mid-2020. It declined to call the businesses whose employees were targeted but its head of cyber espionage Mike Dvilyanski said it had been notifying the “fewer than 200 individuals” who were targeted.
About the campaign
The gang was recently in fame for targeting IT providers in the Middle East in a possible supply chain attack.
• This campaign appears to be an extension of the threat actor’s activities in other regions aside from the center East.
• The malware was partly developed by Mahak Rayan Afraz, an IT firm in Tehran related to the IRGC, as per the research done by analysts.
• The campaign was persistent and well-resourced and hooked into robust operational security measures to obscure the responsible actor.
• The social engineering, phishing, and credential theft, malware deployment, and outsourcing malware development were included in the employed TTP.
A request for comment sent was not immediately responded to by Iran’s mission to the United Nations in New York. The Iranian state cyber espionage and its alleged connection with MRA’s are not new. MRA was one of several contractors suspected of serving the IRGC’s elite Quds Force, said Recorded Future, a cybersecurity company last year.
The bottom line
The malicious domains have been shut by Facebook from being shared and Google has added them to its blocklist. This campaign indicates that Iranian cyberespionage will still aim at sensitive targets. State-backed hackers are up to no good and defenses got to be cranked up.