Facebook said on Thursday that Iranian hackers used its platform to create detailed personas to attempt to get US service members in the Aerospace and Defense industries to fall for ‘phishing schemes.’ The company said that it was an apparent expansion of ‘Tortoiseshell group,’ believed to be working out of Tehran, as it previously emphasized ‘Information Technology industry’ targets in the Middle East region.

The company said that less than 200 individuals had been notified they had been targeted and stated it had taken down nearly two hundred accounts run by hacker groups in Iran as part of a cyber-espionage operation. In addition, the social media giant has interrupted a sophisticated and highly targeted hacking campaign by Tortoiseshell that several experts have connected to the Government of Iran.

Furthermore, it was not just targeting US Defense employees, but also individuals in the United States, the United Kingdom, and Europe working in defense and aerospace, journalism, medicine, non-profits, and airlines.

The social media giant warned the hackers pretended to be recruiters, defense contractors’ employees, and young, attractive females on Facebook to form relationships with US military personnel and hack into their computers.

FB said the hackers’ targets were mostly in the U.S. plus some in UK and Europe. They used tailored domains to attract targets, like fake recruiting websites for defense firms. FB said group set up online infrastructure that spoofed a legit job search site for U.S. Dept. of Labor

— Elizabeth Culliford (@eculliford) July 15, 2021

The spying campaign aimed to gather information about Tortoiseshell group targets, and to do that; they’ll try to access their login details for their organization’s accounts. In one case, they establish fake employment websites. In another case, they spoofed a legal US Labor Department job site.

ODNI Called Iran A Significant Threat To American Security

Furthermore, Facebook stated its probe and malware analysis obtained that a portion of the malware was developed by an IT firm in Tehran, Mahak Rayan Afraz (MRA), with ties to the IRGC (Islamic Revolutionary Guard Corps).

Head of cyber-spying inquiries, Mike Dvilyanski, claimed that it was the first ascription of the group, though could not expand on how it provides more data on MRA. In 2020, the company was first mentioned as an Iranian government contractor in a report about the country’s online spying activities by Recorded Future, a United States cyber intelligence firm.

American Intelligence authorities have been increasingly concerned regarding Iran’s rising proficiencies and aggressiveness in cyberspace. Published in April, in its annual ‘Worldwide Threat Assessment,’ the Office of the Director of National Intelligence (ODNI) called Tehran a significant threat to the security of the United States and allied networks.

The report stated that they expect Tehran to emphasize online covert influence, such as spreading false information about fake threats or “compromised election infrastructure” and recirculating anti-American content.

Earlier in 2021, the US intelligence community also accused the Islamic Republic of Iran of interfering in the 2020 American presidential election, carrying out a comprehensive covert sway campaign with the intention to undercut Donald Trump’s re-election prospects.