2 min read

Facebook Stopped Tortoiseshell APT from Using Their Platform and Disrupted Their Operations

Silviu STAHIE

July 19, 2021

Facebook Stopped Tortoiseshell APT from Using Their Platform and Disrupted Their Operations

Facebook has reported that it has blocked an APT group named Tortoiseshell, likely based in Iran, from its platform and took steps to inform the people and organizations they targeted.

While we usually hear about advanced persistent threats (APT) groups in very different circumstances, they often use social media and other tools to spread their influence. It makes sense to see companies such as Facebook cracking down on such groups, especially as they seem to be nation-state actors.

Facebook discovered that a group of hackers in Iran targeted the US, using the social media platform to distribute malware and conduct espionage operations. The group is already known in the industry under the Tortoiseshell name, but they previously focused their attention in the Middle East.

“In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe,” saidFacebook. “This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”

Not surprisingly, for an APT, Facebook was only one facet of their operations, with the platform being mainly used for social engineering and persuading people to abandon the platform and look for more private ways of communication.

The group built and deployed complex fake personas to fool potential victims, as they would often pose as recruiters and employees of defense and aerospace companies or from the domains of hospitality, medicine, journalism, NGOs and airlines.

Tortoiseshell also has a number of fake websites posing as defense companies, and has even gone so far as to spoof a legitimate US Department of Labor job search site. But the group also deployed malware that seems to be custom-built or from other sources.

“This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers,” Facebook said. “Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years.”

Tortoiseshell also used other malware families developed by the other groups, including Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).

Facebook published a full list of threat indicators.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks
Silviu STAHIE

July 27, 2021

1 min read
Patch your iPhones and Macs against "actively exploited" zero-day right now Patch your iPhones and Macs against "actively exploited" zero-day right now
Graham CLULEY

July 27, 2021

2 min read
Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read