JAKARTA - Facebook's threat intelligence team stated that they had received advanced persistent threat (APT) group interference from Iran. The group has been using social networks as part of its efforts to spread malware and carry out cyber-espionage operations, especially in the US.

The Advanced Persistent Threat (APT) Group is a hidden threat actor, usually from a state or a state sponsored group. This group gained unauthorized access to the computer network and remained undetected for a long time.

Mike Dvilyanski, Facebook's head of cyber espionage investigations and David Agranovich, director of threat disruption at Facebook, reported that the group dubbed "Tortoiseshell" plans to target military personnel and companies in the defense and aerospace industries in the US, UK or Europe.

"These activities are characterized by well-resourced and persistent operations while relying on relatively strong operational security measures to hide who is behind them," the Facebook team said.

Facebook blocks malicious domains created by this group from being shared on its platform. Facebook also removed the group's accounts and notified potential victims it believed the group had targeted.

The social media company said its platform was used in Tortoiseshell's broader cross-platform cyber-espionage operation. The group's activity on Facebook focuses on social engineering, trying to lure users away from the social network, where they can be exposed to malware, and sharing malware on Facebook.

FireEye, which tracks Tortoiseshell as UNC1833, said that since 2018, the group has focused itself on targets in the Middle East. It is related to another Iranian APT group, APT35.

"Iran is still an aggressive cyber actor that should not be ignored. Although much of their activity is focused on the Middle East, they are now not limited to operating within their territory," said Sarah Jones, senior principal analyst with Mandiant Threat Intelligence.

Tortoiseshell Method

Facebook said the Tortoiseshell gang created fake online personas when contacting targets, sometimes involving themselves for months.

"These accounts often impersonate recruiters and employees of defense and aerospace companies from their target countries. Other personas claim to work in hospitality, medicine, journalism, NGOs and airlines," Facebook said.

According to Facebook, the APT Group created dozens of fake domains designed to attract people from various industries and interests. This includes five URLs containing the name "Trump." Other fake sites spoof defense contractors, US Department of Labor career sites, and email providers.

Tortoiseshell uses fake domains as bait to lure its targets away from Facebook so they can do espionage, steal information or spread malware.

"This domain appears to have been used to steal login credentials to victims' online accounts (e.g., corporate and personal email, collaboration tools, social media)," Facebook said. "They also appear to be used to profile their target's digital systems to get information about people's devices, the networks they connect to, and the software they install to eventually deliver malware specifically designed for the target."

Facebook believes the group used specific malware that included a full-featured remote access Trojan, device and network surveillance tools, and key logger. Facebook indicated that some of the malware used was developed by the Tehran IT firm Mahak Rayan Afraz, which has ties to the Islamic Revolutionary Guard Corps.

On Wednesday, July 14, Proofpoint described another Iranian phishing attack operated by TA453, also known as Charming Kitten. They aim to gain information on foreign policy, insight into Iran's dissident movements, and understanding of the US nuclear negotiations.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)