Skip to main content

Facebook says Iranian hackers used its site to spy on US military

Probe found some of the malware used by the hackers was developed by a Tehran IT company with ties to the IRGC
Iranian government spies, like other espionage services, have long been suspected of farming out their mission to a host of domestic contractors (Reuters)

Facebook said on Thursday it had taken down about 200 accounts run by a group of hackers in Iran as part of a cyber-spying operation that targeted mostly US military personnel and people working at defence and aerospace companies.

The US social media giant said the group, dubbed Tortoiseshell by security experts, used fake online personas to connect with targets, build trust - sometimes over the course of several months - and drive them onto other sites where they were tricked into clicking on malicious links that would infect their devices with spying malware.

Iranian hackers 'posed as British academics' in cyber-espionage operation: Report
Read More »

Stay informed with MEE's newsletters

Sign up to get the latest alerts, insights and analysis, starting with Turkey Unpacked


"This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who's behind it," Facebook's investigations team said in a blog post.

The group, Facebook said, made fictitious profiles across multiple social media platforms to appear more credible, often posing as recruiters or employees of aerospace and defence companies. 

Microsoft-owned LinkedIn said it had removed a number of accounts and Twitter said it was "actively investigating" the information in Facebook's report.

IRGC ties

The campaign appeared to show an expansion of the group's activity, which had previously been reported to concentrate mostly on IT and other industries in the Middle East, Facebook said. 

The investigation found that a portion of the malware used by the group was developed by Mahak Rayan Afraz (MRA), an IT company based in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).

Reuters said it could not immediately locate contact information for Mahak Rayan Afraz and former employees of the firm did not return messages sent via LinkedIn. 

Iran's mission to the United Nations in New York did not immediately respond to a request for comment from the news agency.

MRA's alleged connection to Iranian state cyber espionage is not new. 

Last year, cybersecurity company Recorded Future said MRA was one of several contractors suspected of serving the IRGC's elite Quds Force.

Iranian government spies, like other espionage services, have long been suspected of farming out their mission to a host of domestic contractors.


Facebook said the group used email, messaging and collaboration services to distribute the malware, including through malicious Microsoft Excel spreadsheets. 

A Microsoft spokesperson said in a statement it was aware of and tracking this actor and that it takes action when it detects malicious activity.

Iranian-American journalist 'disappointed' by Biden's lack of response to kidnap plot
Read More »

Alphabet, the owner of Google, said it had detected and blocked phishing on Gmail and issued warnings to its users. 

Workplace messaging app Slack Technologies said it had acted to take down the hackers who used the site for social engineering and shut down all workspaces that violated its rules.

The hackers also used tailored domains to attract its targets, Facebook said, including fake recruiting websites for defence companies, and set up online infrastructure that spoofed a legitimate job search website for the US labour department.

Facebook said the hackers mostly targeted people in the United States, as well as some in the United Kingdom and Europe, in a campaign running since mid-2020. 

It declined to name the companies whose employees were targeted, but its head of cyber espionage Mike Dvilyanski said it was notifying the "fewer than 200 individuals" who were targeted.

Facebook said it had blocked the malicious domains from being shared and Google said it had added the domains to its "blocklist". 

Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.