“Based on our analysis of the capabilities of this malware, we believe it was target-tailored to understand the type of software that the device was running and the networks that it was connected to, to presumably assist in future targeting efforts for the attackers,” Mike Dvilyanksi, Facebook head cyber espionage investigations, told CBS News.
He alleged the hackers also used fake websites to steal the login credentials of victims’ social media profiles and their corporate and personal email accounts. Dvilyanski said it’s difficult for Facebook to determine the impact of the espionage operation because the hackers allegedly attempted to deliver the malware once conversations moved away from the social media platform.
Tortoiseshell’s operation involved at least four phases and began with reconnaissance to find potential targets, according to Dvilyanksi. “We saw a big investment in this phase,” he said. “There’s a large research component that goes into that type of targeting.”
The next phase involved creating fake personas across multiple social media sites and building trust with the potential victims. In some cases, attempts to engage targets went on for months, Dvilyanksi said. He added that Facebook has been tracking Tortoiseshell’s activity on the platform since mid-2020.
Some of the fictitious personas claimed to work in hospitality, medicine and journalism. Others posed as recruiters or employees of defense and aerospace companies, Facebook said. Tortoiseshell also allegedly used fake websites with spoof domains appearing to represent news organizations like CNN, The Guardian, and Reuters as well as recruiting sites for defense companies like Lockheed Martin. In one instance, the hackers managed to set up infrastructure that spoofed a legitimate U.S. Department of Labor job search site, according to Facebook.
“The group invested time in the creation of these fake personas and building them to be believable and credible to engage with their targets and also understanding their targets,” Dvilyanski said.
The third and fourth phases, which Facebook said it doesn’t have direct visibility into, involved convincing targets to move the conversation away from the social media site to either email or other collaborative tools for the delivery of the malware.
The malware included custom tools believed to be unique to Tortoiseshell’s operation and included fully-featured remote-access trojans, device and network reconnaissance tools, and keystroke loggers.
Remote access trojans provide hackers with administrative control over a computer and the malware is typically delivered through an email attachment. Keystroke loggers allow the criminals to covertly record the keys struck on the victim’s keyboard.
One variant of the malicious tool was embedded in a Microsoft Excel document that was capable of recording saved data from the victim’s computer. According to Facebook’s analysis, this step presumably required the attacker to trick the victim into saving the document and emailing it back to the hackers.
Facebook said it took down about 200 fake accounts that were used by the hackers, informed industry peers and law enforcement officials about the group, and is in the process of notifying all the individuals that were targeted.
David Agronovich, Facebook’s director of threat disruption, told CBS News that Tortoiseshell’s operation included all the hallmarks of a well-run espionage campaign.
“They were consistently working hard both to avoid detection, to run personas that were well designed and intended to look as authentic as possible and were consistently trying to re-engage with targets,” Agronivich said.
He added that Facebook’s analysis found a “significant expansion” of internet espionage activities from Tortoiseshell, which has previously focused on targeting IT companies in the Middle East.
Agronivich’s team tracks Coordinated Inauthentic Behavior (CIB) across Facebook. The CIB operations are designed to gain reach and propagate particular narratives. In contrast, Agronivich said, the cyber espionage activity is “highly targeted and instead designed to collect information about those targets and fly below the radar.”
Cybersecurity experts describe Tortoiseshell as fairly sophisticated and thoughtful in its operations. Caroline Wong, the chief strategy officer for cybersecurity firm Cobalt, said Toroiseshell’s ability to hide its tracks is an indication that the group is not “amateurs looking for quick cash or entertainment.”
Wong said the group appeared to be most active in 2018 and 2019, adding that their most well-known attack on IT providers in the Middle East included a similar approach to the more recent attacks on SolarWinds and Kaseya. “In each of these cases the threat actor targeted a ‘stepping stone’ type of organization in order to gain access to the next, more interesting targets.”
The social engineering tactic – using fake personals to connect with and trick targets – that Tortoiseshell deployed can be very effective and appears to be a rising trend for cyber criminals. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), there’s been an overall jump in social engineering breaches since last year with an upward trend since 2015.
Wong, who’s company provides penetration testing services for clients to determine potential vulnerabilities in computer systems, said hackers are most interested in getting to their target as fast and easy as possible.
“In some cases, it’s easier to exploit a technical vulnerability in software. In other cases, it’s easier to exploit human psychology and trick people using some sort of social engineering scam,” Wong said.