2 min read

Facebook Stopped Tortoiseshell APT from Using Their Platform and Disrupted Their Operations

Silviu STAHIE

July 19, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Facebook Stopped Tortoiseshell APT from Using Their Platform and Disrupted Their Operations

Facebook has reported that it has blocked an APT group named Tortoiseshell, likely based in Iran, from its platform and took steps to inform the people and organizations they targeted.

While we usually hear about advanced persistent threats (APT) groups in very different circumstances, they often use social media and other tools to spread their influence. It makes sense to see companies such as Facebook cracking down on such groups, especially as they seem to be nation-state actors.

Facebook discovered that a group of hackers in Iran targeted the US, using the social media platform to distribute malware and conduct espionage operations. The group is already known in the industry under the Tortoiseshell name, but they previously focused their attention in the Middle East.

“In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe,” saidFacebook. “This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”

Not surprisingly, for an APT, Facebook was only one facet of their operations, with the platform being mainly used for social engineering and persuading people to abandon the platform and look for more private ways of communication.

The group built and deployed complex fake personas to fool potential victims, as they would often pose as recruiters and employees of defense and aerospace companies or from the domains of hospitality, medicine, journalism, NGOs and airlines.

Tortoiseshell also has a number of fake websites posing as defense companies, and has even gone so far as to spoof a legitimate US Department of Labor job search site. But the group also deployed malware that seems to be custom-built or from other sources.

“This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers,” Facebook said. “Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years.”

Tortoiseshell also used other malware families developed by the other groups, including Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).

Facebook published a full list of threat indicators.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read