Iran’s Social Engineering Capabilities Mature

Facebook last week dismantled a long-running Iranian cyber operation that collected sensitive information on U.S. military personnel and employees of American defense and aerospace companies. Unlike a previous Iranian campaign during the 2020 presidential election that was quickly discovered and thwarted, the sophistication and longevity of this operation serve as reminders that the expanding capabilities of second-tier cyber adversaries pose a threat to U.S. national security.

In a sophisticated social engineering and malware campaign, the Advanced Persistent Threat (APT) group known as Tortoiseshell — masquerading as recruiters, employees of defense contractors, and attractive women — connected with U.S. citizens, built rapport, and moved the conversations off-platform to execute attacks. Facebook explained that the activity on its site was the first step in a larger, cross-platform espionage operation in which the hackers attempted to trick targets into clicking on links that harvested users’ credentials and installed spyware that would collect network information, provide remote access, and log keystrokes. The malicious domains used included fake recruiting websites, a sham U.S. Department of Labor job site, and several domains using the Trump family name.

In a telephone briefing, Mike Dvilyanski, Facebook’s head of cyber espionage investigations, revealed that information technology firm Mahak Rayan Afraz — a company with ties to the Islamic Revolutionary Guard Corps (IRGC) — developed portions of the malware. Private cybersecurity firm Mandiant similarly said, “We can tie this activity to a company we believe is associated with the IRGC.”

In a separate, unrelated operation revealed days before Facebook’s action, another Iranian APT supporting “IRGC intelligence priorities” impersonated British scholars to target their American and European colleagues to obtain information about Iranian dissidents and insights into U.S. policy. Last month, The New York Times detailed yet another Iranian operation, this time a disinformation operation leveraging social media apps in Israel. While the three campaigns are unrelated, they indicate a troubling evolution in the capabilities of Tehran’s state-sponsored cyber operatives.

Tortoiseshell, for example, has typically spied on targets in the Middle East, according to cybersecurity firm Symantec, but has shifted focus “in recent months” to the U.S. defense sector — although this is not the first time the group has targeted U.S. veterans. Facebook said that the group’s activities “had the hallmarks of a well-resourced and persistent operation” and, unlike Iran’s attempted interference in the 2020 election, had “relatively strong operational security measures.” Meanwhile, The New York Times called the revelations of the operation against Israelis the “first-of-its-kind.” Commenting on this effort, a Facebook spokeswoman said, “Iranian-based threat actors are some of the more persistent and well-resourced groups.”

These operations highlight how social media platforms such as Facebook, Twitter, Instagram, and LinkedIn and messaging apps such as WhatsApp and Telegram are an attractive launchpad for sophisticated social engineering cyberattacks. While Congress is currently debating the definition, requirements, and government support for systemically important critical infrastructure, a parallel conversation is needed for what might be called systemically important communications and internet infrastructure. This is important because while these companies have themselves been the victim of attacks, they are more often exploited by malicious actors to target other victims.

Companies must continue their efforts to thwart malicious activity on their platforms, but the government also has a critical role to play. Bridging the public-private partnership gap will require not only providing potential victims with greater information so they can defend themselves, but also more actively sharing threat intelligence with large social media platforms regarding foreign cyber actors so that these firms can step up effort to prevent attacks in the first place.

Annie Fixler is the deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where she also contributes to FDD’s Iran Program. Divjot Bawa is an intern at FDD. For more analysis from the authors, CCTI, and the Iran Program, please subscribe HERE. Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.