Hackers from Iran have spent 18 months posing as an aerobics teacher in a spy campaign in cyberspace in order to infect malicious employees and contractors working in the field of defense and aerospace. Their purpose was to steal usernames, passwords and other information that could be exploited.
The campaign, which has been active since at least 2019, used Facebook, Instagram and email to appear as the fake face "Marcella Flores“. Hackers even spent months building a relationship with their targets via text messages and emails before attempting to distribute malware.
The campaign has been analyzed by cybersecurity researchers at Proofpoint who have associated it with TA456 - also known as Tortoiseshell - an Iranian government hacking group.
The way the fake profile has worked for so long demonstrates the effort and perseverance of those behind the espionage campaign in an effort to target people they care about. Their main targets were people working for US defense contractors, especially those involved in supporting operations in the Middle East.
Marcella's public Facebook profile claimed she was an aerobics teacher in Liverpool, England.
The hackers behind the fake face used emails, social media profiles, photos and even love messages to give the impression that he was a real person.
After a period of messaging, the intruders used a Gmail account set up to send a OneDrive link containing a document or video file to the victim. Malware is an update Lideric, which the researchers named Lempo.
This malware creates persistence on the victim's Windows computer, allowing hackers to search for and steal sensitive information. Proofpoint said that due to the specific targeting of the victims it was not possible to say if the attacks were successful.
Stolen usernames and passwords could help intruders conduct further espionage campaigns. It is possible that the specific targets were chosen because stealing their credentials could provide the attackers with the means to go further in the supply chain and gain access to the defense and aerospace networks.
Stolen passwords could be exploited to gain remote access to VPN and remote software, or compromised credentials could be used to carry out further phishing attacks.
Facebook shut down Marcella's profile in July after it acknowledged that other accounts were working at Tortoiseshell's cyber espionage operations. Facebook has linked the malware used in the campaigns to an Iranian IT company with links to the IRGC.