Veterans hunting for jobs may have thought “Hire Military Heroes” was just another jobs website that would help them find employment.
But in reality, the site prompted users to download an app containing malicious malware that would allow the attacker to access a plethora of information, according to cybersecurity researchers at Cisco Talos.
“The attacker retrieves information such as the date, time and drivers. The attacker can then see information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the list of the account, etc.,” Cisco Talos said in a blog post in September about the malware.
“This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks,” Cisco Talos added.
The phony site shared a similar URL to the site “Hiring Our Heroes,” an employment site the U.S. Chamber of Commerce Foundation launched.
According to the security intelligence and research group, an actor called Tortoiseshell was responsible for the attack — the same actor Symantec identified being behind attempts targeting Saudi Arabian IT providers.
Cisco Talos and Symantec have not pointed a finger at Iran, but experts claim it’s likely Iran is the culprit. Multiple media reports also suggest the malign actor has ties to Iran.
For example, the National Guard Bureau issued a memorandum on Oct. 2 to service members instructing them to not visit the phony employment site, Stars and Stripes reported. The memorandum claimed that Iranian hackers were interested in getting into a DOD system.
“They’re targeting active servicemembers looking for jobs with the promise of offering assistance for civilian employment once their service ends,” the memo said, according to Stars and Stripes. “The hackers are hoping one of their targets would use a DOD system to download and run the malware.”
The National Guard Bureau deferred to the Pentagon for comment when contacted by the Military Times. The Pentagon did not provide comment on the memo or whether DOD systems were compromised.
“As a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence, or planning,” Elissa Smith, Department of Defense spokeswoman, said in a statement to the Military Times.
Christopher Burgess, who served with the CIA for more than 30 years, believes Iran was behind the attack because of the malware’s history targeting Saudi Arabian IT entities. In a blog post on ClearanceJobs, Burgess said the activity is “consistent with Iranian intelligence efforts given the ongoing Iran-Saudi hostilities.”
“This piece of cyberespionage was designed to compromise the owner’s machine AND allow the complete download of contents, when a [remote access trojan] piece of malware was installed,” Burgess said in an email to the Military Times. “What that permitted is to know everything the user had on their device and how they interacted with other devices. The information could be used to fill out the counterintelligence and operational mosaic of an adversary.”
Burgess also noted Iran already has some information on U.S. service members and their cyber activities, thanks to Monica Witt.
Witt, a former Air Force counterintelligence specialist who defected to Iran in 2013, was charged with espionage on behalf of Iran, according to an indictment that was unsealed in February. The indictment claims that she shared U.S. classified information with an Iranian government official and also compiled research on her former colleagues and coworkers in the U.S. Intelligence Community.
The information was then funneled into “target packages” to help Iran target the former colleagues, the indictment said.
Burgess doesn’t expect that this episode targeting service members and veterans is an isolated incident from Iran.
“They are not slouches when it comes to cyberespionage and they have shown their ability to conduct social engineering operations in the past. I would expect them to do so in the future,” Burgess said.
To prevent being targeted in future attacks, Burgess recommended veterans and others not download apps to devices — unless it’s from a trusted source.
“Do not click on links,” Burgess added. “Never share personal information with sites you have not validates. Your bank will never call, email or SMS for your account data. If something appears legit, check with the originator.”