Transitioning from active duty to civilian? A veteran looking for employment? Well, if your were looking for work or supporting the initiative of the U.S. Chamber of Commerce Foundation – “Hiring Our Heroes” initiative, and you visited the website “hiringourheros.com” and not the “hiringourheros.org”, you probably saw an attempt to infect your device with malware.
The cybersecurity researchers at Cisco’s Talos identified the “Tortisesshell” hacking group as being the creation of the doppelganger website. Cybersecurity company Symantec previously identified the group as targeting Saudi Arabian IT.
“This new campaign utilizing the malicious hiring website represents a massive shift for Tortiseshell. This particular attack vector has the potential to allow a large swath of people to become victims of this attack. Americans are quick to give back and support the veteran population. Therefore, it’s this website has a high chance of gaining traction on social media where users could share the link in the hopes of supporting veterans,” reported Talos.
Neither Cisco Talos nor Symantec associated the group with a nation state, though various media outlets point the finger at Iran as being behind The Tortiseshell.
Iran’s hand in play?
The plausibility of Iran’s hand being in play is high. The fact that the malware found by the security researchers had previously been used in an effort to compromise Saudi Arabian IT entities is totally consistent with Iranian intelligence efforts given the ongoing Iran-Saudi hostilities.
Another factor lays within the body of knowledge which was shared with the Iranians by U.S. counterintelligence defector, Monica Witt. We know from our research into Witt and her sharing of information that the Iranians have used her knowledge in prior efforts to engage U.S. military personnel. Iran is able to leverage Witt’s experience and depth of knowledge of the mannerisms of the U.S. active military servicemember in their last year of their service as they work to line up their next opportunity.
Personnel across all military services and locales, both foreign and domestic, would be potential candidates for falling into the Persian lion’s espionage lair. There is no doubt Iran is interested in collecting information from U.S. military personnel and their devices, especially if those devices are associated with or connected to military or government networks of interest.
No good deed goes unpunished
The U.S. Chamber of Commerce’s initiative to help current servicemembers and veterans find work is highly commendable. The fact that they did not secure the .net, .com, .us domains when securing the non-profit domain .org is what made this effort possible. Had they controlled the .net domain, the website used for this operation would have been unavailable.