Iranian hackers used Facebook to create elaborate fake personas with the purpose of getting Americans in the military, defense, and aerospace industries to fall for phishing schemes so that the hackers could access personal and classified information, Facebook said on Thursday.

The hackers also targeted defense personnel in the U.K. and Europe.

The Iranian spying campaign began last year. Facebook took down “fewer than 200 operational accounts”, according to Mike Dvilyanski, Facebook’s head of cyber-espionage investigations.

This is another attack on the U.S. but this time, Iran didn’t target infrastructure or large corporations but the military and defense industry.

Facebook reported that the group, dubbed ‘Tortoiseshell’ by cybersecurity experts, used fake online personas, posing as legitimate defense or aerospace contractors to connect and build trust with members. They then would trick targets into other sites which contained links that would infect their devices with spying malware.

Iranian Hackers Use Facebook to Spy on US Military
Hackers assigned to the Iranian Revolutionary Guard Corps. (Iranian military)

“This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who’s behind it,” Facebook’s investigations team said in a release on their blog.

“Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months,” Facebook added.

The Iranians created “catfish” fake personas that were “designed to look like things people would engage with,” said Dvilyanski. Some of the personas included “attractive young women posing as professionals, sometimes pretending to be recruiters for particular companies or industries.”

The Iranian Hackers’ Link to the Revolutionary Guard Corps

As soon as the hackers would access a target’s device, they would share more files, such as fake Microsoft Excel spreadsheets, that contained malicious software. This allowed the hackers to collect even more information, Facebook said. 

The malware was most definitely not an “off-the-shelf” product, said Dvilyanski. This means that the hackers were well-supported. Facebook learned that the malicious software had been designed by Mahak Rayan Afraz a Tehran-based software firm linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).

Dvilyanski said in a media conference call that Facebook’s cybersecurity group is “confident” of the connection between some of the malware used in the campaign and Mahak Rayan Afraz, and the link to the IRGC.

A number of the firm’s current and former executives are also connected to other companies under U.S. sanctions, according to the Facebook blog post.

When pressed by international media, Iran’s mission to the United Nations didn’t respond or comment on these charges.