February 13, 2023 By Jonathan Reed 4 min read

The Department of Health and Human Services’ (DHHS) Health Sector Cybersecurity Coordinating Center released a security brief in early November outlining how Tehran-backed actors have targeted the defense, healthcare and other sectors.

One incident involved a campaign by a threat group dubbed Tortoiseshell. The group hacked Facebook users by posing as recruiters for medicine, journalism and other industries. Their efforts duped American and European victims into downloading malware-infected files. Other scams tricked targets into giving up credentials on imposter sites.

Iran-based threat groups aren’t known for state-of-the-art technical capability. However, their creative social engineering tactics enable them to execute successful attacks.

Tortoiseshell found on facebook

In 2021, Facebook (now Meta) released a report about its role in taking down the Iran-based Tortoiseshell group. Previously the actors focused on the IT industry in the Middle East. Tortoiseshell then pivoted to other regions and industries. Facebook discovered the group had been targeting the defense and aerospace industries, primarily in the U.S., U.K. and Europe.

Tortoiseshell used Facebook as part of a broader cross-platform espionage operation. In addition, the group used email, messaging services and imposter websites to deploy malware payloads.

Sophisticated social engineering campaigns

According to Facebook, Tortoiseshell created realistic fake online personas to contact targets directly. Criminals managed profiles across multiple social media platforms to boost credibility. In some cases, actors engaged with targets for several months to build trust and trick them into clicking on malicious links.

Adversaries often posed as recruiters and employees of defense, aerospace, hospitality, medicine, journalism and non-profit organizations. They then leveraged various collaboration and messaging platforms to shift conversations off-platform and send malware to their targets.

In one attack, actors sent an email posing as the Director of Research at the Foreign Policy Research Institute (FRPI), as per the DHHS. The email asked if the recipient was interested in participating in an article about Iraq’s position in the Arab world. The malicious actor even CC’d the Director of Global Attitudes Research at the Pew Research Center using a fake email address that circled back to the attacker.

Paul Prudhomme, a former Department of Defense threat analyst, says Iran-based actors typically create multiple social media accounts or other elements of an internet footprint. While not used directly in the attack, these accounts are part of an effort to build the most realistic persona possible.

“A common form of Iranian social engineering is to use a fake LinkedIn account to social-engineer targets with the lure of job opportunities in their respective fields,” says Prudhomme.

Credential stealing schemes

Facebook also said Iranian actors set up illicit domains designed to attract targets in the aerospace and defense industries. Some of the rogue sites mimicked recruiting websites for defense companies. They also created a platform that mimicked a legitimate US Department of Labor job search site.

The main objective of these tactics was to steal login credentials for corporate and personal email, collaboration tools and social media. Another goal was to target digital systems to obtain information about victims’ devices and networks to deliver malware.

Iranian-based malware

The Tortoiseshell attacks deployed custom malware. Facebook reported the malicious tools included remote-access trojans, device and network reconnaissance tools and keystroke loggers. In addition to these tools, the group developed malware for Windows, known as Syskit. The malware included links to infected Microsoft Excel spreadsheets, which enabled various system commands to profile the victim’s machine.

Machine profiling retrieves information such as the date, time and drivers. The attacker can then see system information, patch levels, network configurations, hardware, firmware versions, domain controller and admin names. All this information makes the intruder well-prepared to carry out additional attacks.

Some of the malware used was developed by the Tehran IT company Mahak Rayan Afraz, which has ties to the Islamic Revolutionary Guard Corps, Facebook says.

How Iran-based threats stand out

It’s evident that Iran-based actors have some degree of technical sophistication. Still, they lag behind on the technical curve compared to other attackers. As outlined above, they make up for this with elaborate social engineering campaigns.

Adam Meyers from CrowdStrike says that attacks by Iranian threat actors targeting healthcare tend to be more disruptive than attacks backed by other nation-states such as China.

Attacks linked to Iran may involve “lock and leak”, in which threat actors unleash ransomware and then leak data. The goal is primarily to discredit organizations rather than seek financial gain. Actors may either be backed by the Iranian government or conducted by Iranian cyber crime gangs.

Meanwhile, nation-state attacks by China on the healthcare sector have often been less disruptive. Chinese-based attacks may focus on intellectual property theft for medical devices, pharmaceuticals and other innovations.

How to stop social engineering attacks

Social engineering is a common attack method criminals use to trick people into downloading malware. The use of realistic pretexts makes this type of attack especially difficult to deter.

Ongoing employee training and testing can effectively halt social engineering attacks. Training includes educating employees about the different types of social engineering tactics criminals might use. Testing can include intentionally sending fake emails and social media messages for real-world assessment of employee readiness.

Even with the best education and testing, some attacks can slip through. That’s why other security tools are a necessary backup. For example, with privilege access management (PAM), access is continuously vetted, monitored and analyzed to protect resources.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Put your people to the test through phishing, vishing and physical social engineering exercises. Learn more about IBM Security X-Force Red’s social engineering services.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today