On Facebook, members of the US military have been receiving messages from fictitious private-sector employers. These illegitimate employers promise aerospace or defense positions that align with military members’ past experience.

Last week, Facebook reported that the employers were in-fact Iranian hackers who wished to deliver malware-infected files to members of the military. Other aims included tricking individuals into providing login credentials on phishing sites. Experts also identified the deployment of RATs, reconnaissance tools and keyloggers in relation to the campaign.

Catfishing and military personnel

The hackers feigned roles in the hospitality industry, in the health sector, in journalism, at NGOs or with airlines. Some managed to engage their targets for months ahead of presenting social engineering scams.

While previous cases of “catfishing” have zeroed in on Iranian targets, in this instance, targets primarily consisted of Americans and Europeans. In essence, this event boils down to a broad espionage operation.

Due to the discovery of this catfishing scheme, Facebook removed roughly 200 phony profiles from its platforms. Military members, veterans and other targets of this attack received formal notification from Facebook.

Behind the campaign are the Tortoiseshell hackers, who allegedly collaborate with the Iranian government. Tortoiseshell retains connections with and similarities to other well-known hacking groups, including APT34 or Helix Kitten and APT35 or Charming Kitten, which are government-connected. These groups have previously attempted supply chain attack disruptions involving malware.

Catfishing, Facebook and Tortoiseshell

At the outset, Tortoiseshell appeared to prefer social media catfishing over supply chain attacks. The group’s catfishing began in 2018, and extends across a variety of websites; not just social media.

In the past, Tortoiseshell has run a fake veterans’ website, titled ‘Hire Military Heroes’. The objective was to deceive individuals into installing a malicious desktop app that contained malware. Tortoiseshell aimed to engage in cyber espionage activities through this.

Facebook’s other finds

Facebook recently announced that the Tortoiseshell group also spoofed a US Department of Labor webpage and created URLs that impersonate news outlets, versions of YouTube and LiveLeak, along with those belonging to the Trump family and Trump organization.

Malware samples from Tortoiseshell have enabled experts to tie the group to a Tehran-based IT contractor, which has previously provided malware to the Iranian Revolutionary Guard Corps. This offers researchers a tenuous link between the Tortoiseshell group and the Iranian government.

In 2019, the group implemented software tools also used by the APT34 hacking crew, which has relied on social engineering lures deployed on social media for several years. Similarities also exist between Tortoiseshell and APT35. In the past, APT35 used information provided by an American military intelligence contractor to target specific persons with social engineering and phishing campaigns.catfishing facebook

Disruptive cyber attacks

The Biden administration’s non-confrontational approach to diplomacy may have made it appear as though Iranian cyber attacks had subsided. The Tortoiseshell catfishing scheme may indicate otherwise. At present, Biden intends to revive an Obama-era treatise that halted Iran’s nuclear program and lowered tensions.

However, despite improved political relations, Iranian espionage continues to plague the US and other Western nations. At least a handful of experts and officials contend that scrutiny of the aforementioned groups must continue.

For more info about catfishing on Facebook, visit Ars Technica.