Iranian spies tried hacking US military personnel by posing as job recruiters on Facebook

Facebook said it took down the campaign from the hackers known as Tortoiseshell.
Facebook takedown
Stickers bearing the Facebook logo at the F8 developers conference in San Jose, California, on April 30, 2019. (REUTERS / Stephen Lam)

Facebook said on Thursday it upended Iranian government-backed hackers who targeted U.S. military personnel and defense companies on its platform before trying to move conversations elsewhere to infect victims with malware.

In a blog post, Facebook linked the campaign to a group known alternately as Tortoiseshell or Imperial Kitten, which primarily had focused on Middle East targets before. This time, they were mainly preoccupied with the United States.

“In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe,” wrote Mike Dvilyanski, Facebook’s head of cyberespionage investigations, and David Agranovich, director of threat disruption.

As part of a social engineering effort, the hackers posed via fake online personas as defense and aerospace industry recruiters, or claimed to work in hospitality, journalism, medicine or for non-governmental organizations.


The social media giant said it removed the offending accounts, blocked the sharing of malicious domains, notified potential victims and shared threat information with others in its industry.

Those blocked domains included fake recruiting websites, a spoofed U.S. Department of Labor job site and several that used the Trump family name, a fact that stood out to cybersecurity firm Mandiant.

“The existence of Trump related domains is notable, though we have no evidence that these domains were operationalized or used to target anyone affiliated with the Trump family or properties,” said Sarah Jones, senior principal analyst for Mandiant Threat Intelligence. “Domains such as these could suggest social engineering associated with US political topics.”

Besides the names Imperial Kitten and Tortoiseshell, the organization also is sometimes labeled Charming Kitten or APT35. FireEye has dubbed this particular activity UNC1833, and says it has a history of going after U.S. information technology targets working in the Middle East.

“Overlaps often reflect the fluid movement of Iranian personnel between companies and organizations supporting Iran’s offensive cyber program,” said Jones.


While Tortoiseshell is usually associated with cyberespionage that scours the Middle East, including a lengthy effort that first surfaced in 2019, the group’s spying sometimes has bled over into targeting U.S. military veterans before.

Latest Podcasts