BACKGROUND:
Facebook has released an intel report on Iranian threat activity. The report discloses actions the company took against a group of hackers in Iran, known as Tortoiseshell, to disrupt their ability to use their infrastructure to abuse the platform, distribute malware and conduct espionage operations across the internet, targeting primarily the United States.
<p>We track most of the activity described in the Facebook article as UNC1833, a group which has historically targeted people and organizations affiliated with the U.S. military and information technology (IT) providers in the Middle East since at least 2018. Some resources used by the group are tied to other Iranian groups like APT35. Overlaps often reflect the fluid movement of Iranian personnel between companies and organizations supporting Iran\’s offensive cyber program. Facebook’s description of Iranian groups which outsource all or parts of their operations to outside companies is consistent with our observations. We assess that a front company tied to IRGC is involved in these operations.</p>
<p>The existence of Trump related domains is notable, though we have no evidence that these domains were operationalized or used to target anyone affiliated with the Trump family or properties. Domains such as these could suggest social engineering associated with US political topics. In the past we have seen targeting of the US political sphere by IRGC affiliated actors. Iran is still an aggressive cyber actor that shouldn’t be ignored. Though a lot of their activity is focused on the Middle East, they are not limited to their region.</p>