Security News

Facebook on Thursday disclosed it dismantled a "Sophisticated" online cyber espionage campaign conducted by Iranian hackers targeting about 200 military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using fake online personas on its platform. The social media giant pinned the attacks to a threat actor known as Tortoiseshell based on the fact that the adversary used similar techniques in past campaigns attributed to the threat group, which was previously known to focus on the information technology industry in Saudi Arabia, suggesting an apparent expansion of malicious activity.

Recent activity that Facebook associated with the group focused on military personnel, defense organizations, and aerospace entities primarily in the United States and, to a lesser extent, the U.K. and Europe, showing an escalation of the group's cyberespionage activities. Today, Facebook revealed that it took action against similar attacks from the Iranian hacking group, which leveraged its online platform to lure victims into downloading malware.

Masquerading as UK scholars with the University of London's School of Oriental and African Studies, the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links.

In a recent attack campaign, the Iran-linked threat actor tracked as TA453 has been posing as UK scholars with the University of London's School of Oriental and African Studies to engage targets of interest and steal their credentials, security researchers with Proofpoint reveal. Believed to be supporting the information collection efforts of the Iranian Revolutionary Guard Corps, TA453 engaged in benign conversations with their targets, up to the point when they served a 'registration link' leading to a legitimate, albeit compromised website of University of London's SOAS radio.

A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies. "Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage," the researchers said in a technical write-up shared with The Hacker News.

Websites of Iran's transport and urbanization ministry Saturday went out of service after a "Cyber disruption" in computer systems of its staff, the official IRNA news agency reported. This is the second abnormality in computer systems related to the ministry.

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years. The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload. The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran.

Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne. Likely state-sponsored, the threat group initially engaged in cyberespionage attacks, but then attempted to extort victims, claiming to have exfiltrated and encrypted data.

An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks while maintaining access to victims' networks for months in what looks like an extensive espionage campaign. "Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks," said Amitai Ben Shushan Ehrlich, Threat Intelligence Researcher at SentinelOne.

Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard'," cybersecurity firm Flashpoint said in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel.