Fake veteran hiring website may be tied to foreign actors

« Previous story
Next story »
Fake veteran hiring website may be tied to foreign actors

I'll start with this FoxNews report that specifically states that Iran *may* be behind it:

Researchers have unmasked a website masquerading as a job site for U.S. veterans that may have ties to Iran, according to media reports.

Researchers from security firm Cisco Talos reported this week that the website, Hire Military Heroes, was distributing malware that allows hackers to gain control of the victim’s computer, as reported by Bleeping Computer.

An interesting twist is that the hackers may also be targeting active servicemen and not just veterans, according to ZDNet, which cites that Iran may be behind the attack.

Before I go on to what it does though, the Iran angle doesn't seem clear to me.

 From ZDNet:

Iran's government-backed hackers are trying to infect US military veterans with malware with the help of a malicious website, researchers from security firm Cisco Talos reported on Tuesday.

The website, located at hiremilitaryheroes[.]com (pictured above), offers a fake desktop app for download, in the hopes that US military veterans would download and install it, presumably to gain access to job offerings.

But Cisco Talos researchers say the app only installs malware on users' systems and shows an error message, indicating that the installation failed.

Here's what gives me some pause though, the Cisco Talos report actually doesn't mention Iran at all.  Although it does mention some group called Tortoiseshell:

Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate service from the U.S. Chamber of Commerce, https://www.hiringourheroes.org. The site prompted users to download an app, which was actually a malware downloader, deploying malicious spying tools and other malware.

This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs)

According to another report though, from DarkReading, draws the line that Cisco didn't:

"Tortoiseshell is not well-documented. [The research] shows that this actor is offensive for months, they create fake websites, and they probably use social engineering to send targets on these websites," he says. "We identified at least two installers, a couple of variants of the same RAT, a keylogger, and few reconnaissance tools. The toolkit of this actor is growing."

The researchers haven't pinpointed the initial infection vector, however. "[I]t could be spear-phishing or social media usage such as LinkedIn, as we saw during DNSpionage campaign," he says, referring to an attack campaign last year that used fake job websites.  

CrowdStrike, meanwhile, had tagged the group as Imperial Kitten, an Iranian nation-state operation that has been operating since 2017. The group has been known to target Saudi Arabian, United Arab Emirates, and Western maritime, IT services, defense, and military veterans, notes Adam Meyers, vice president of intelligence at CrowdStrike. Imperial Kitten supports Iran's Islamic Revolutionary Guard Corps operations using tactics such as phony job recruitment, social media, and IT service provider attacks, he says.

So there you go, I guess.  I know absolutely nothing about hackers, other than they are prolific emailers to me, but this group is certainly bad, whether Iranian Gov't backed or not.  The name "Imperial Kitten" isn't all that fear-inspiring, but what do I know?

To see exactly what they are doing from a technical point of view, go read the Cisco Talos report.  But the gist of this is, be careful what websites you are on if you are looking for a job.  Obviously the Chamber of Commerce one is fine, and their goal laudable, but the similiarly named one may (or may not) be an Iranian hacker group.


So the picture above actually doesn't have a lot to do with this story, but it is funny to me.  Like I noted earlier, I know next to nothing about hacking, but I wanted to do some research so I didn't screw it up completely.  After a while I hit upon the Youtube below, which may or may not be of interest to our general readership, but which I found fascinating.  Not because of the tech talk stuff, but more so the fact that a guy in a wizard costume is interviewing a guy "with skin that is bioluminescent at 200 meters below sea level".  Which is again interesting in a sort of odd way, but more pertinently, Craig Heffner, being interviewed here and pictured above, was once upon a time SPC Heffner, a member of my infantry squad.  I spent a year with him in Afghanistan, and if his skin is in fact composed of some miraculous qualities, I missed it.

Posted in the burner | 1 comment
« Previous story
Next story »


* To comment without a Facebook account, please scroll to the bottom.


Damn Iranians.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Have a tip for us? A link that should appear here? Contact us.
News from the World of Military and Veterans Issues. Iraq and A-Stan in parenthesis reflects that the author is currently deployed to that theater.