Facebook Stopped Tortoiseshell APT from Using Their Platform and Disrupted Their Operations

Facebook has reported that it has blocked an APT group named Tortoiseshell, likely based in Iran, from its platform and took steps to inform the people and organizations they targeted.

While we usually hear about advanced persistent threats (APT) groups in very different circumstances, they often use social media and other tools to spread their influence. It makes sense to see companies such as Facebook cracking down on such groups, especially as they seem to be nation-state actors.

Facebook discovered that a group of hackers in Iran targeted the US, using the social media platform to distribute malware and conduct espionage operations. The group is already known in the industry under the Tortoiseshell name, but they previously focused their attention in the Middle East.

“In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe,” said Facebook. “This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”

Not surprisingly, for an APT, Facebook was only one facet of their operations, with the platform being mainly used for social engineering and persuading people to abandon the platform and look for more private ways of communication.

The group built and deployed complex fake personas to fool potential victims, as they would often pose as recruiters and employees of defense and aerospace companies or from the domains of hospitality, medicine, journalism, NGOs and airlines.

Tortoiseshell also has a number of fake websites posing as defense companies, and has even gone so far as to spoof a legitimate US Department of Labor job search site. But the group also deployed malware that seems to be custom-built or from other sources.

“This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers,” Facebook said. “Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years.”

Tortoiseshell also used other malware families developed by the other groups, including Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).

Facebook published a full list of threat indicators.