February 13, 2023 By Jonathan Reed 4 min read

The Department of Health and Human Services’ (DHHS) Health Sector Cybersecurity Coordinating Center released a security brief in early November outlining how Tehran-backed actors have targeted the defense, healthcare and other sectors.

One incident involved a campaign by a threat group dubbed Tortoiseshell. The group hacked Facebook users by posing as recruiters for medicine, journalism and other industries. Their efforts duped American and European victims into downloading malware-infected files. Other scams tricked targets into giving up credentials on imposter sites.

Iran-based threat groups aren’t known for state-of-the-art technical capability. However, their creative social engineering tactics enable them to execute successful attacks.

Tortoiseshell found on facebook

In 2021, Facebook (now Meta) released a report about its role in taking down the Iran-based Tortoiseshell group. Previously the actors focused on the IT industry in the Middle East. Tortoiseshell then pivoted to other regions and industries. Facebook discovered the group had been targeting the defense and aerospace industries, primarily in the U.S., U.K. and Europe.

Tortoiseshell used Facebook as part of a broader cross-platform espionage operation. In addition, the group used email, messaging services and imposter websites to deploy malware payloads.

Sophisticated social engineering campaigns

According to Facebook, Tortoiseshell created realistic fake online personas to contact targets directly. Criminals managed profiles across multiple social media platforms to boost credibility. In some cases, actors engaged with targets for several months to build trust and trick them into clicking on malicious links.

Adversaries often posed as recruiters and employees of defense, aerospace, hospitality, medicine, journalism and non-profit organizations. They then leveraged various collaboration and messaging platforms to shift conversations off-platform and send malware to their targets.

In one attack, actors sent an email posing as the Director of Research at the Foreign Policy Research Institute (FRPI), as per the DHHS. The email asked if the recipient was interested in participating in an article about Iraq’s position in the Arab world. The malicious actor even CC’d the Director of Global Attitudes Research at the Pew Research Center using a fake email address that circled back to the attacker.

Paul Prudhomme, a former Department of Defense threat analyst, says Iran-based actors typically create multiple social media accounts or other elements of an internet footprint. While not used directly in the attack, these accounts are part of an effort to build the most realistic persona possible.

“A common form of Iranian social engineering is to use a fake LinkedIn account to social-engineer targets with the lure of job opportunities in their respective fields,” says Prudhomme.

Credential stealing schemes

Facebook also said Iranian actors set up illicit domains designed to attract targets in the aerospace and defense industries. Some of the rogue sites mimicked recruiting websites for defense companies. They also created a platform that mimicked a legitimate US Department of Labor job search site.

The main objective of these tactics was to steal login credentials for corporate and personal email, collaboration tools and social media. Another goal was to target digital systems to obtain information about victims’ devices and networks to deliver malware.

Iranian-based malware

The Tortoiseshell attacks deployed custom malware. Facebook reported the malicious tools included remote-access trojans, device and network reconnaissance tools and keystroke loggers. In addition to these tools, the group developed malware for Windows, known as Syskit. The malware included links to infected Microsoft Excel spreadsheets, which enabled various system commands to profile the victim’s machine.

Machine profiling retrieves information such as the date, time and drivers. The attacker can then see system information, patch levels, network configurations, hardware, firmware versions, domain controller and admin names. All this information makes the intruder well-prepared to carry out additional attacks.

Some of the malware used was developed by the Tehran IT company Mahak Rayan Afraz, which has ties to the Islamic Revolutionary Guard Corps, Facebook says.

How Iran-based threats stand out

It’s evident that Iran-based actors have some degree of technical sophistication. Still, they lag behind on the technical curve compared to other attackers. As outlined above, they make up for this with elaborate social engineering campaigns.

Adam Meyers from CrowdStrike says that attacks by Iranian threat actors targeting healthcare tend to be more disruptive than attacks backed by other nation-states such as China.

Attacks linked to Iran may involve “lock and leak”, in which threat actors unleash ransomware and then leak data. The goal is primarily to discredit organizations rather than seek financial gain. Actors may either be backed by the Iranian government or conducted by Iranian cyber crime gangs.

Meanwhile, nation-state attacks by China on the healthcare sector have often been less disruptive. Chinese-based attacks may focus on intellectual property theft for medical devices, pharmaceuticals and other innovations.

How to stop social engineering attacks

Social engineering is a common attack method criminals use to trick people into downloading malware. The use of realistic pretexts makes this type of attack especially difficult to deter.

Ongoing employee training and testing can effectively halt social engineering attacks. Training includes educating employees about the different types of social engineering tactics criminals might use. Testing can include intentionally sending fake emails and social media messages for real-world assessment of employee readiness.

Even with the best education and testing, some attacks can slip through. That’s why other security tools are a necessary backup. For example, with privilege access management (PAM), access is continuously vetted, monitored and analyzed to protect resources.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Put your people to the test through phishing, vishing and physical social engineering exercises. Learn more about IBM Security X-Force Red’s social engineering services.

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today