Facebook’s Threat Intelligence Team Bans Tortoiseshell
Facebook’s head of espionage investigations, Mike Dvilyanski, and director of threat disruption, David Agranovich have reported that Iranian APT group, Tortoiseshell, has plotted targeted attacks on U.S. military personnel and companies in defense and aerospace industries.
The social media giant has blocked all found malicious domains being pushed by Tortoiseshell, and has taken down the group’s activity on Facebook. Targets of this campaign have been notified.
“This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide behind it,” according to the Facebook team.
Tortoiseshell’s Facebook Campaign Focuses on Social Engineering
The APT group has focused its efforts in social engineering, luring targets off of Facebook and onto external sites to expose them to malware.
The group created fake online personas, posing as recruiters and employees of defense and aerospace companies. There are also reports of personas claiming to work in the fields of hospitality, medicine, journalism, non-governmental organizations (NGO’s) and airlines.
Using these fake identities, the group would engage with targets, sometimes for months, in order to build trust and get them to visit malicious sites. Knowing that spreading malware directly through Facebook is risky, threat actors created dozens of domains, designed to appeal to a wide audience across different industries and subjects of interest.
Of those domains, 5 URL’s contained the name “Trump.” There were other domains masquerading as defense contractors, U.S. Labor Department Career sites, as well as email providers.
Facebook’s report states that “as part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links.” These links were used to steal login credentials to victims’ online accounts (i.e. corporate and personal email accounts, collaboration tools commonly used in the workplace, social media, etc.). By doing this, they would be able to obtain information about their victims’ devices, connected networks, and installed software, which would then allow the attacker to create and deliver “tailor-made” malware.
Investigations Give Insight Into Malware Source
Tortoiseshell’s campaign has been tracked as UNC1833 by FireEye, a cybersecurity company that focuses on the detection and prevention of major cyberattacks. They found that the Iranian APT group is connected to APT35 or “Charming Kitten,” an Iranian government cyberwarfare group.
According to Facebook, Tortoiseshell has been using custom malware that included remote access Trojans, tools to spy on devices and networks, as well as keystroke loggers. Some of the malware was developed by Mahak Rayan Afraz, a Tehran IT company that is involved with the Islamic Revolutionary Guard Corps.
While Tortoiseshell has been focused on IT campaigns in the Middle East, they have apparently been expanding their operation to the United States as well as the U.K. and Europe.