Facebook says it disrupted Iran-based hackers who targeted US

The group of hackers went after military personnel and defense and aerospace companies primarily in the US, the social network says.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
2 min read
Facebook social media app
James Martin/CNET

Facebook  disrupted a group of hackers in Iran that targeted US military personnel and defense and aerospace companies, the social network said Thursday.

The group, known as Tortoiseshell, tried to infect devices with  malware  to enable espionage, and it used different tactics including setting up fake job recruiting sites, Facebook said. The hackers also targeted people in the UK and Europe, the social network said.

Facebook said the hackers tried to direct people to other websites, email or messaging services.

"Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and the group's activity on Facebook manifested primarily in social engineering and driving people off-platform, rather than directly sharing the malware itself," reads a blog post by Facebook's head of cyberespionage investigations, Mike Dvilyanski, and its director of threat disruption, David Agranovich.

Using fake personas, the hackers posed as recruiters and employees of defense and aerospace companies. They also claimed to work in other areas, such as pharmaceuticals, journalism and the airline industry. Hackers also imitated a US Department of Labor job search site in what Facebook said appeared to be an effort to steal login information to the victims' online accounts, including social media and corporate email.

The hackers also shared links to malicious Microsoft Excel spreadsheets and used various malware tools, like remote-access trojans and keystroke loggers, which track what a person types. Facebook said it found that some of the malware was developed by an Iranian IT company known as Mahak Rayan Afraz with ties to the Islamic Revolutionary Guard Corps.