Facebook Stopped Tortoiseshell APT from Using Their Platform and Disrupted Their Operations

Facebook has reported that it has blocked an APT group named Tortoiseshell, likely based in Iran, from its platform and took steps to inform the people and organizations they targeted.
While we usually hear about advanced persistent threats (APT) groups in very different circumstances, they often use social media and other tools to spread their influence. It makes sense to see companies such as Facebook cracking down on such groups, especially as they seem to be nation-state actors.
Facebook discovered that a group of hackers in Iran targeted the US, using the social media platform to distribute malware and conduct espionage operations. The group is already known in the industry under the Tortoiseshell name, but they previously focused their attention in the Middle East.
“In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe,” saidFacebook. “This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”
Not surprisingly, for an APT, Facebook was only one facet of their operations, with the platform being mainly used for social engineering and persuading people to abandon the platform and look for more private ways of communication.
The group built and deployed complex fake personas to fool potential victims, as they would often pose as recruiters and employees of defense and aerospace companies or from the domains of hospitality, medicine, journalism, NGOs and airlines.
Tortoiseshell also has a number of fake websites posing as defense companies, and has even gone so far as to spoof a legitimate US Department of Labor job search site. But the group also deployed malware that seems to be custom-built or from other sources.
“This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers,” Facebook said. “Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years.”
Tortoiseshell also used other malware families developed by the other groups, including Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).
Facebook published a full list of threat indicators.
tags
Author
Right now
Top posts
What is medical identity theft and how to protect against it
July 27, 2022
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
June 22, 2022
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022