Skip links
Hackers targeting military

Iranian hackers targeting military and defence industries

A group of Iranian hackers have used Facebook and other platforms to target military personnel and companies in defence and aerospace industries in the US but also to a lesser extent in Europe. They have used a variety of tactics to identify targets and infect their devices with malwar3e to spy on them.

Facebook says the company has identified them and stopped their ability to use Facebook to distribute malware and organize espionage operations across the internet.

We shared our findings and threat indicators with industry peers so they too can detect and mitigate this activity. To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.


The group is known in the security industry as Tortoiseshell, the company said in a blog post. The group´s activity whose activity was ”previously reported to mainly focus on the information technology industry in the Middle East. In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe. This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”

”This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it.”


“Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and the group’s activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing the malware itself.”

Tortoiseshell used fake online personas to contact its targets, build trust and trick them into clicking on malicious links. These fictitious personas had profiles across multiple social media platforms to make them appear more credible. targets.


The group created a set of tailored domains designed to attract particular targets within the aerospace and defense industries like fake recruiting websites.

This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers. Among these tools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for years. They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform various system commands to profile the victim’s machine”, Facebook said.

”Our investigation and malware analysis found that a portion of their malware was developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some of the current and former MRA executives have links to companies sanctioned by the US government.”

Moonshot News is an independent European news website for all IT, Media and Advertising professionals, powered by women and with a focus on driving the narrative for diversity, inclusion and gender equality in the industry.

Our mission is to provide top and unbiased information for all professionals and to make sure that women get their fair share of voice in the news and in the spotlight!

We produce original content, news articles, a curated calendar of industry events and a database of women IT, Media and Advertising associations.

    Do you want an experienced opinion on a job issue?
    Moonshot Manager is here to answer!

      Moonshot community sharing thoughts and ideas, in a anonymous, safe environment.