The group, known as Tortoiseshell, tried to infect devices with malware to enable espionage, and it used different tactics including setting up fake job recruiting sites, Facebook said. The hackers also targeted people in the UK and Europe, the social network said.
Facebook said the hackers tried to direct people to other websites, email or messaging services.
"Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and the group's activity on Facebook manifested primarily in social engineering and driving people off-platform, rather than directly sharing the malware itself," reads a blog post by Facebook's head of cyberespionage investigations, Mike Dvilyanski, and its director of threat disruption, David Agranovich.
Using fake personas, the hackers posed as recruiters and employees of defense and aerospace companies. They also claimed to work in other areas, such as pharmaceuticals, journalism and the airline industry. Hackers also imitated a US Department of Labor job search site in what Facebook said appeared to be an effort to steal login information to the victims' online accounts, including social media and corporate email.
The hackers also shared links to malicious Microsoft Excel spreadsheets and used various malware tools, like remote-access trojans and keystroke loggers, which track what a person types. Facebook said it found that some of the malware was developed by an Iranian IT company known as Mahak Rayan Afraz with ties to the Islamic Revolutionary Guard Corps.