Fake accounts posing as company job
recruiters or employees were used to dupe targets, according to head of cyber
espionage investigations Mike Dvilyanski.
“This effort was highly targeted,”
Dvilyanski said in a telephone briefing.
“It is hard for us to know how successful
this campaign was, but it had all the hallmarks of a well-resourced operation.”
Some of the malicious code used in the
cyber spying campaign was developed by the Mahak Rayan Afraz tech company in
Tehran, who have ties to the Islamic Revolutionary Guard Corps, according to
Dvilyanski.
Facebook took down 200 accounts it said
were used to dupe defense or aerospace industry workers into connecting outside
the social network, through techniques such as compromised emails or bogus job
websites.
The group referred to as “Tortoiseshell”
had focused its activities in the Middle East until last year, when it
primarily took aim at the United States, according to Dvilyanski.
“This group used various malicious tactics
to identify its targets and infect their devices with malware to enable
espionage,” said Facebook director of threat disruption David Agranovich.
“Our platform was one of the elements of
the much broader cross-platform cyber-espionage operation, and its activity on
Facebook manifested primarily in social engineering and driving people
off-platform.”
Malware slipped onto devices of victims was
designed to glean information including log-in credentials to email or social
media, according to Dvilyanski.
Facebook said it appeared fewer than 200
users may have fallen for the ruse, and that those people have been notified of
the deception.
Facebook also blocked some of the
booby-trapped website links from being shared within the social network,
according to executives.
The tech giant added that it shared
findings with internet industry peers and law enforcement.
“We were only part of this campaign, and we
are taking action on our platform,” Dvilyanski said.