From Marcy with love: How Iranian hackers set English honey trap for US defence workers

Infiltration group is believed to be aligned with the Islamic Revolutionary Guard Corps

Reflection of male hacker coding working hackathon at laptop
Powered by automated translation

Iranian hackers posed online as an aerobics instructor from England during a years-long operation to lure workers with US defence companies into divulging sensitive information, cyber security analysts say.

The group, known as TA456 or Tortoiseshell, sought out staff in subsidiaries and contractors in an effort to use them as a way to compromise larger companies in the supply chain, analysts at Proofpoint said.

One of the fake identities was Marcella Flores, who appeared to be a glamorous aerobics instructor and university graduate from Liverpool in north-west England.

The persona, operating on Facebook, Instagram and other social media sites, cultivated relationships with target employees before attempting to secretly compromise their computers, according to Proofpoint.

The Flores Facebook profile included a phrase in Spanish beneath "her" photo: “When the melody sounds, the footsteps start moving, the heart sings and the spirit starts dancing.”

Between November 2020 and June, the hackers used the Flores persona to send benign messages, photographs and a coquettish video to an intended victim who worked for a subsidiary of an aerospace contractor.

After attempting to build a trust relationship, the Flores account sent a fake survey about eating habits that was laced with malware that could steal usernames, passwords and other data from the infected computer. The email was signed "Marcy".

It was not clear if the hackers, believed to be aligned with the Islamic Revolutionary Guard Corps, successfully obtained data from their target.

“TA456's years-long dedication to significant social engineering, benign reconnaissance of targets before deploying malware, and their cross-platform kill chain makes them a very resourceful threat and signifies that they must be experiencing success in gaining information that meets their operational goals,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

Proofpoint researchers said the Flores account was unlikely to be the only one used by the hackers.

This month, Proofpoint also exposed an Iranian group masquerading as a British-based academic during a cyber espionage campaign and compromised a website belonging to the School of Oriental and African Studies, University of London.

The Tortoiseshell hackers are among the most resourceful Iran-linked groups operating because of their patience and ingenuity, Ms DeGrippo said.

“This campaign demonstrates that even after an individual is targeted by a persona, it can take months or years for TA456 to attempt to deliver malware.

“Malicious actors will often utilise publicly available information about a target to build up a picture of their role, connections, access to information, and vulnerability to attacks. Oversharing on social media is a particularly risky behaviour in sensitive industries, so organisations should ensure employees are properly and frequently trained in security awareness,” she said.

Proofpoint and Facebook concluded the Flores account was bogus.

On July 15, Facebook removed it in a takedown of users suspected Iranian hacker activity.

Facebook said the accounts it removed were linked to a hacking group it identified as Tortoiseshell, which went after military personnel and companies in the defence and aerospace industries primarily in the US, UK and continental Europe.

“This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage,” Facebook said.

The names of the people and companies who became targets have not been revealed.


Updated: July 29, 2021, 11:07 AM