Iran’s hackers used ‘Marcella’ to entrap defence workers
SHE introduced herself as Marcella Flores, an aerobics instructor at the Harbour Health Club Liverpool, and spent months building a flirtatious online relationship with an employee of an aerospace defence contractor.
But behind the persona of a graduate of the University of Liverpool was a sophisticated hacking group linked to the Iranian government.
The hackers built a rapport with the target with friendly emails, photos and even a video before sending a link to malware disguised as a diet survey.
An American cybersecurity group yesterday said the malware – designed to steal usernames, passwords and other data from the infected computer – was sent by a hacking group called TA456 or Tortoiseshell.
Tortoiseshell sent the link as part of a campaign against smaller subsidiaries in the aerospace and defence industry in the UK, US and Europe, to compromise bigger companies further up the supply chain, according to the report published by the Californian cybersecurity firm Proofpoint Inc.
Proofpoint declined to identify the people or companies targeted and did not say whether the hackers obtained any information from the employee.
The security firm said its software had successfully blocked the hackers’ links to the malicious files but it added
that Tortoiseshell was one of the most resourceful and persistent Iran-linked groups it had tracked, deploying sophisticated methods over a long period to dupe its targets.
Sherrod Degrippo, Proofpoint’s senior director of threat research and detection, said: “This campaign demonstrates that even after an individual is targeted by a persona, it can take months or years for TA456 to attempt to deliver malware.”
Earlier this month, Facebook announced that it had disrupted a network of Facebook and Instagram accounts, including Marcella Flores’s, that they attributed to Tortoiseshell.
“This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said in a statement on July 15.
Its investigation found that the hackers used sophisticated fake online personas and had spent months building the trust of their targets to trick them into clicking malicious links.
“This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage,” Facebook said.
Both Proofpoint and Facebook concluded the “Marcy” account was fake. Calls to Harbour Health Club Liverpool went unanswered yesterday.
Facebook concluded that some of Tortoiseshell’s malware was developed by Mahak Rayan Afraz, an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps. Proofpoint agreed with this assessment “based on previous malware analysis and historical open-source research”.
A September 2019 report from another security company, Symantec, said that Mahak Rayan Afraz had targeted information technology providers in Saudi Arabia “in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers”.
Mahak Rayan Afraz did not immediately respond to a request for comment from Bloomberg. Iran’s Foreign Ministry did not respond to a message from Bloomberg seeking comment.
Marcella Flores’s Facebook account has now been suspended. “The Marcella Flores persona is likely not the only one in use by TA456,” Proofpoint said, warning defence industry workers to be vigilant when engaging with unknown individuals online.