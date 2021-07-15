



The hackers carried out a sophisticated operation to gain the trust of their victims, Facebook said, often masquerading as representatives of aerospace and defense companies to build deep relationships with their targets before directing them to fraudulent websites. Although the sites looked and acted like their legitimate counterparts, including a US Department of Labor job site, they were designed to steal data and analyze computer systems.

The group focused on people working in the US military and defense industry, and also targeted similar victims in the UK and Europe, Facebook said.

Mike Dvilyanski, Facebook’s head of cyber espionage investigations, told CNN that the company has disabled “less than 200 operational accounts” on its platform associated with the Iranian campaign, and has informed a similar number of Facebook users that they might have been targeted by the group. The Iranian campaign has spread beyond Facebook and has also used other messaging platforms and technologies, including email, Facebook said. However, it is unclear how successful the spy campaign was.

So far, the hacking group has focused on regional targets in the Middle East, Facebook said. But the expansion to Western targets reflects a shift in the group’s behavior that began last year.

“Our investigation found that this group had invested a lot of time in their internet social engineering efforts, in some cases engaging with their targets for months,” Facebook said in a blog post. Once hackers managed to break into a target’s device, they shared more files such as fraudulent Microsoft Excel spreadsheets with hidden malware that could collect even more information, Facebook said. The malware showed signs of being highly personalized and not a “plug and play” product, Dvilyanski said, suggesting the hackers were well taken care of. Further investigation showed that the malware was designed by a Tehran-based software company linked to Iran’s powerful Islamic Revolutionary Guard Corps, Facebook said. In a conference call with reporters, Dvilyanski said Facebook’s cybersecurity group was “confident” about the link between some of the malware used in the campaign and the IT company, Mahak Rayan Afraz, and the link to the pasdarans. A number of current and former IT company executives are also linked to other companies under U.S. sanctions, according to the Facebook blog. “As far as I know, this is the groups’ first public attribution of the malware” to an entity linked to the Iranian government, Dvilyanski told reporters on a conference call. In addition to notifying its users who had been targeted by the campaign and disabling accounts owned by hackers, Facebook also blocked links on its platform to websites controlled by the group, he said. The so-called “phishing” tactics used by Iranian hackers have been reproduced on a large scale in recent months, with reports of a Russian campaign sending fake emails masquerading as the US Agency for International Development . Google said on Wednesday that a separate campaign, likely backed by Russia, involved sending fake LinkedIn messages to victims in an attempt to compromise iOS devices. Apple fixed the flaw in March.

