Taking Action Against Hackers in Iran

By Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption

Facebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.

Today, we’re sharing actions we took against a group of hackers in Iran to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and conduct espionage operations across the internet, targeting primarily the United States. This group is known in the security industry as Tortoiseshell, whose activity was previously reported to mainly focus on the information technology industry in the Middle East. In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe. This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.

This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it. Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and the group’s activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing the malware itself.

We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:

Social engineering: In running its highly targeted campaign, Tortoiseshell deployed sophisticated fake online personas to contact its targets, build trust and trick them into clicking on malicious links. These fictitious personas had profiles across multiple social media platforms to make them appear more credible. These accounts often posed as recruiters and employees of defense and aerospace companies from the countries their targets were in. Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. They leveraged various collaboration and messaging platforms to move conversations off-platform and send malware to their targets. Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months.

Phishing and credential theft: This group created a set of tailored domains designed to attract particular targets within the aerospace and defense industries. Among them were fake recruiting websites for particular defense companies. They also set up online infrastructure that spoofed a legitimate US Department of Labor job search site. As part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links. These domains appeared to have been used for stealing login credentials to the victims’ online accounts (e.g. corporate and personal email, collaboration tools, social media). They also appeared to be used to profile their targets’ digital systems to obtain information about people’s devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware.

Malware: This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers. Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years. They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform various system commands to profile the victim’s machine in a manner very similar to the Liderc reconnaissance tool identified by researchers at Cisco. One previously unreported variant of the malicious tool was embedded in a Microsoft Excel document and was capable of writing the output (i.e. result of the system reconnaissance) to a hidden area of the spreadsheet, which presumably required an attacker to social engineer the target to trick them into saving and returning the file.

Outsourcing malware development: We’ve observed this group use several distinct malware families. Our investigation and malware analysis found that a portion of their malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some of the current and former MRA executives have links to companies sanctioned by the US government.

We shared our findings and threat indicators with industry peers so they too can detect and mitigate this activity. To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.

Threat Indicators

Domains:

1st-smtp2go[.]email
2nd-smtp2go[.]email
3rd-smtp2go[.]email
4th-smtp2go[.]email
accounts[.]cam
activesessions[.]me
adobes[.]software
alhds[.]net
apppure[.]cf
bahri[.]site
bbcnews[.]email
bitly[.]cam
biturl[.]cx
brdcst[.]email
careeronestop[.]site
cc-security-inc[.]email
ccsecurity-mail-inc[.]email
ccsecurity-mail-inc[.]services
citymyworkday[.]com
cityofberkeley[.]support
cnbcnews[.]email
cnnnews[.]global
codejquery-ui[.]com
com-account-challenge[.]email
com-signin-v2[.]email
comlogin[.]online
comlogin[.]services
copyleft[.]today
crisiswatchsupport[.]shop
datacatch[.]xyz
dayzim[.]org
dh135[.]world
dollrealdoll[.]com
dollrealdoll[.]online
entrust[.]work
erictrumpfundation[.]com
facebookservices[.]gq
fblogin[.]me
fileblade[.]ga
findcareersatusbofa[.]com
fiservcareers[.]com
goodreads[.]rest
googl[.]club
gropinggo[.]com
hex6mak5z98nubb9vpd6t36cydkncfci9im872qx6hjci2egx8irq3qyt9pj[.]online
hike[.]studio
hiremilitaryheroes[.]com
hosted-microsoft[.]com
iemail[.]today
incognito[.]today
infoga[.]cam
iqtel[.]org
irtreporter[.]com
itiee[.]life
itieee[.]life
jessicamcgill[.]life
jqueryui-code[.]com
jumhuria[.]com
kartick[.]net
kaspersky[.]team
linkgen[.]me
linksbit[.]com
linq[.]ink
liveleak[.]cam
liveuamap[.]live
lockheedmartinjobs[.]us
loginaccount[.]email
logonexchangeonline[.]com
logonmicrosoftonline[.]com
lskjirn[.]life
mail2go[.]live
mail2go[.]online
mail2u[.]live
mailaccountlive[.]email
mailaccountlive[.]support
mailpublisher[.]live
mails[.]center
metacafe[.]live
micorsoftonilne[.]com
micorsoftonline[.]website
micorsoftonline[.]xyz
microsoftoffice[.]systems
microsoftonilne[.]cloud
mispace[.]cam
msol[.]live
msonline[.]live
mssecurityaccount[.]online
mydomainxyz[.]xyz
news-smtp2go[.]email
newsl[.]ink
noreplay[.]email
novafile[.]tk
onpointcorp[.]co
outlook-services[.]com
outlookservices[.]live
outlookservices[.]me
outube[.]live
pic-shareonline[.]com
pixlr[.]live
pixlr[.]myftp[.]org
post-jquery[.]com
prefiles[.]ml
publicsgroupe[.]net
pwutc[.]live
rali[.]live
recruitme[.]international
robotics[.]land
sabic[.]work
sandsngo[.]com
saudivisions2030[.]org
securityaccountreply[.]com
seery[.]online
sendblaster[.]org
sender[.]gb[.]net
shareae[.]cf
shlink[.]run
shlnk[.]run
short-l[.]link
shortli[.]live
shrt[.]rip
shur[.]live
shurl[.]site
site1[.]life
smtp-2go[.]com
smtp2go[.]best
smtp2go[.]club
smtp2go[.]email
smtp2go[.]fun
smtp2go[.]icu
smtp2go[.]live
smtp2go[.]me
smtp2go[.]pw
smtp2go[.]site
smtp2go[.]space
smtp2go[.]website
smtper[.]center
smtptogo[.]pw
soc-usa[.]email
soundcloud[.]fun
soundcloud[.]live
spreadme[.]international
src-ymlang[.]link
support-securitymail[.]email
support-ymail-team[.]online
surl[.]ist
surl[.]live
sxk8xrjtaikv3dxl7hgghw3vptvxpzzxeynrcltu4k3yeecjq3[.]online
systembackend[.]site
techmahindra[.]support
teleweb[.]world
tetra[.]email
thegardian[.]ml
thegaurdian[.]live
thomsonsreuters[.]email
thomsonsreuters[.]eu
thomsonsreuters[.]link
thomsonsreuters[.]net
tinil[.]ink
tinly[.]me
tinylink[.]pro
tinyurl[.]gold
tiwpan[.]xyz
tox[.]cheap
treasury[.]email
treporter[.]com
trumphotel[.]net
trumpnationallosangeles[.]email
trumporganization[.]world
trumporganizations[.]com
tv-youtube[.]com
uploaderfile[.]cf
usdailypost[.]com
usdailypost[.]net
usdp[.]news
vps[.]limited
watch-youtube[.]com
wikileaks[.]email
workshopplatform[.]network
xn--rumphotels-vcc[.]com
xn--twitte-u9a[.]com
xyzsitexyz[.]xyz
ymail-account[.]support
ymail-security-support[.]email
ymail-security[.]support
ymailaccounts[.]us
ymailsupport[.]info
zain[.]network



To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookies Policy