Intelligence Briefing #72

Welcome to the Nucleon Cyber Intelligence podcast.

This podcast will give you a summary of the latest news related to cyber intelligence and proactive cyber security in only a few minutes.

The podcast is aimed at professionals who are short on time, or for anyone who would like to know a bit more about what is REALLY happening out there in the cyber world.

The focus of this podcast will be on the latest cyber events for non-technical people; anyone can listen and understand.

A group of Iranian hackers targeting U.S. military personnel on Facebook, deployed a “well-resourced and persistent operation” to connect with victims on the social media site, and trick them into providing sensitive information as part of a larger online espionage campaign, Facebook said recently. 
The group, known as “Tortoiseshell” in the security industry, targeted nearly 200 individuals associated with the military as well as defense and aerospace companies in the U.S., and to a lesser extent in the U.K.

They used social engineering and phishing to direct victims away from Facebook and infect their devices with malware.

Facebook said its investigation revealed that parts of the malware used by Tortoiseshell was developed by Mahak Rayan Afraz, a Tehran-based IT company with close ties to the Islamic Revolutionary Guard Corps (IRGC). “Based on our analysis of the capabilities of this malware, we believe it was target-tailored to understand the type of software that the device was running and the networks that it was connected to, to presumably assist in future targeting efforts for the attackers,” Mike Dvilyanksi, Facebook head cyber espionage investigations, told. 
He alleged the hackers also used fake websites to steal the login credentials of victims’ social media profiles and their corporate and personal email accounts. Dvilyanski said it’s difficult for Facebook to determine the impact of the espionage operation because the hackers allegedly attempted to deliver the malware once conversations moved away from the social media platform. 
Tortoiseshell’s operation was advanced and involved at least four phases and began with reconnaissance to find potential targets.
The next phase involved creating fake personas across multiple social media sites and building trust with the potential victims. 
In some cases, attempts to engage targets went on for months. 

Tortoiseshell also allegedly used fake websites with spoof domains appearing to represent news organizations like CNN, The Guardian, and Reuters as well as recruiting sites for defense companies like Lockheed Martin. In one instance, the hackers managed to set up infrastructure that spoofed a legitimate U.S. Department of Labor job search site, according to Facebook. “The group invested time in the creation of these fake personas and building them to be believable and credible to engage with their targets and also understanding their targets”. 
The third and fourth phases, which Facebook said it doesn’t have direct visibility into, involved convincing targets to move the conversation away from the social media site to either email or other collaborative tools for the delivery of the malware. The malware included custom tools believed to be unique to Tortoiseshell’s operation and included fully-featured remote-access trojans, device and network reconnaissance tools, and keystroke loggers. 
Remote access trojans provide hackers with administrative control over a computer and the malware is typically delivered through an email attachment. Keystroke loggers allow the criminals to covertly record the keys struck on the victim’s keyboard.

One variant of the malicious tool was embedded in a Microsoft Excel document that was capable of recording saved data from the victim’s computer. Cybersecurity experts describe Tortoiseshell as fairly sophisticated and thoughtful in its operations.

Caroline Wong, the chief strategy officer for cybersecurity firm Cobalt, said Tortoiseshell’s ability to hide its tracks is an indication that the group is not “amateurs looking for quick cash or entertainment.” Wong said the group appeared to be most active in 2018 and 2019, adding that their most well-known attack on IT providers in the Middle East included a similar approach to the more recent attacks on SolarWinds and Kaseya. “In each of these cases the threat actor targeted a ‘stepping stone’ type of organization in order to gain access to the next, more interesting targets.”

The social engineering tactic – using fake personals to connect with and trick targets – that Tortoiseshell deployed can be very effective and appears to be a rising trend for cyber criminals.

That’s it for this podcast, stay safe and see you in the next podcast.

Don’t forget to visit for the latest podcasts on cyber intelligence.

Leave a Reply