SAN FRANCISCO -- Facebook on Thursday (July 15) said it disrupted an Iran-based espionage operation targeting defence and aerospace workers in Europe and the United States.
Fake accounts posing as company job recruiters or employees were used to dupe targets, according to head of cyber espionage investigations Mike Dvilyanski.
"This effort was highly targeted," Dvilyanski said in a telephone briefing.
"It is hard for us to know how successful this campaign was, but it had all the hallmarks of a well-resourced operation."
Some of the malicious code used in the cyber spying campaign was developed by Mahak Rayan Afraz tech company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC), according to Dvilyanski.
Facebook took down 200 accounts it said were used to dupe defence or aerospace industry workers into connecting outside the social network, say by email or at bogus job websites.
"These accounts often posed as recruiters and employees of defenCe and aerospace companies from the countries their targets were in," Facebook said. "Other personas claimed to work in hospitality, medicine, journalism, NGOs and airlines."
"Our investigation found that this group invested significant time into their social engineering efforts across the internet, in some cases engaging with their targets for months," Facebook said.
"They leveraged various collaboration and messaging platforms to move conversations off-platform and send malware to their targets."
The group referred to as "Tortoiseshell" had focused its activities in the Middle East until last year, when it took aim primarily at the United States, according to Dvilyanski.
"This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage," said Facebook director of threat disruption David Agranovich.
"Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and its activity on Facebook manifested primarily in social engineering and driving people off-platform."
Malware slipped onto devices of victims was designed to glean information including log-in credentials to email or social media, Dvilyanski said.
Facebook said it appeared fewer than 200 users may have fallen for the ruse, and that those people have been notified of the deception.
Facebook also blocked some of the booby-trapped website links from being shared on the social network, according to executives.
The US tech giant added that it shared findings with internet industry peers and law enforcement.
"We were only part of this campaign, and we are taking action on our platform," Dvilyanski said.
Iran's Cyber Army
Iran's malign cyber activities have not been limited to hacking.
According to the Tribune, a French daily, the Iranian government has some 255,000 employees collectively known as the Cyber Army.
Members of the Cyber Army are hired to participate in and influence social networks, and each of them manages an average of four to five accounts on Twitter and other forms of social media.
In order to keep working and getting paid, the Cyber Army's members must submit a daily report on their performance. In addition to following and "liking" posts, they are assigned to comment on and support the regime's views.