Atlanta, United States (CNN) – Facebook Inc. on Thursday said it had disrupted a group of Iranian hackers who created fake social media profiles and sent malicious links to victims in an attempt to spy on Western security and defense contractors. The campaign appears to be linked to the Iranian government.
Facebook added that hackers have gone through a complex process to win the trust of victims, often as representatives of airlines and security companies who develop deep relationships with their targets before leading to fraudulent websites.
While the sites may look and act like their true counterparts, including the US Department of Labor workplace, they are designed to steal data and scan computer systems.
The group is focused on individuals working in the U.S. military and defense sector, and Facebook said it was targeting similar victims in the UK and Europe.
Mike Devlyansky, Facebook’s head of cyber surveillance, told CNN that the company had disabled “less than 200 active accounts” on its platform linked to the Iranian campaign, and that a similar number of Facebook users may have been targeted. Team.
The company noted that the Iranian campaign had expanded beyond Facebook and used other news sites and technologies, including email. However, it is difficult to know how successful the spy campaign was.
So far, Facebook says, the hacking group has focused on regional targets in the Middle East, but the expansion to include Western targets reflects an evolution in the group’s behavior that began last year.
According to a company’s blog post, “Our investigation has found that this group has invested significant time in online social engineering initiatives and in some cases has been involved in its goals for months.”
Facebook claimed that hackers shared additional files, such as fraudulent Microsoft Excel spreadsheets, into the target device, which contained hidden malware that could gather additional information.
Devlyansky said the malware showed signs of being highly personalized – it was not an “off-the-shelf” product, which meant it was well-supported by hackers. Further investigation revealed that the malware was designed by a Tehran-based software company linked to Iran’s powerful revolutionary guards.
In a conference call with reporters, Dovlyansky said Facebook’s cybersecurity team had “confidence” in some of the malware used in the campaign, including contact with IT company Mahak Ryan Afras and Iran’s revolutionary guards. According to the Facebook blog, many current and former IT executives are affiliated with other companies subject to US sanctions.
To my knowledge, “this is the first common characteristic of group malware” for a company affiliated with the Iranian government.
He added that in addition to notifying users targeted by the campaign and disabling hackers’ accounts, Facebook also blocked links to websites controlled by the group on its site.
The “phishing” tactics used by Iranian hackers have been widely repeated in recent months, with reports claiming that a Russian campaign was sending fake emails pretending to be the US agency for international development.
Google said on Wednesday that sending fake center messages to victims of an attempt to hack iOS devices was a separate campaign with Russian support. Apple fixed the bug in March.