Are you a member of the U.S. military? Have you received friendly Facebook texts from private-sector recruiters recently? We might have some bad news for you.
What’s up?
Facebook revealed that it tracked and partly disrupted a cyber espionage campaign launched by Iranian hackers, collectively known as Tortoiseshell or Imperial Kitten. The hackers impersonated recruiters to lure U.S. targets with compelling social engineering schemes. This was followed by sending malware-laced files or deceiving the victims into submitting credentials to phishing sites. Apart from this, the hackers also impersonated personnel from the hospitality and medical sectors, NGOs, and airlines. While the campaign has mostly targeted U.S. citizens, some European victims have also been impacted.
About the campaign
The gang was recently under the spotlight for targeting IT providers in the Middle East in a possible supply chain attack.
This campaign appears to be an extension of the threat actor’s activities in other regions apart from the Middle East.
As per the investigation, the malware was partly developed by Mahak Rayan Afraz, an IT firm in Tehran associated with the IRGC.
The campaign was persistent and well-resourced and dependent on robust operational security measures to obscure the responsible actor.
The TTPs employed include social engineering, phishing and credential theft, malware deployment, and outsourcing malware development.
The bottom line
Facebook has blocked the malicious domains from being shared and Google has added them to its blocklist. This campaign indicates that Iranian cyberespionage will continue to take aim at sensitive targets. State-backed hackers are up to no good and defenses need to be cranked up.