Iranian Spies Maintained Social Media Persona for Years Before Targeting Defense Contractor

An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports.

TA456 is known for conducting espionage operations against defense industrial base employees and contractors, mainly those associated with the Middle East. The adversary is believed to be associated with the Iranian company Mahak Rayan Afraz (MRA), which would also link it to the Islamic Revolutionary Guard Corps (IRGC).

The newly detailed activity attributed to the group involved the use of the social media persona “Marcella Flores,” which was used to engage with an employee of a subsidiary of an aerospace defense contractor over multiple communication platforms, to gain their trust in an attempt to infect them with malware.

The adversary maintained the online persona for several years, uploading the first photo to the Marcella Flores Facebook profile in 2018 and befriending the intended victim in 2019, if not before.

Proofpoint’s analysis revealed that TA456 engaged in conversations with the targeted employee in November 2020 and that it had actively maintained the discussion with the victim over corporate and personal communication platforms, including email.

In early June 2021, the threat actor delivered a malicious email to the victim, in an attempt to infect them with LEMPO, an updated version of Liderc, a piece of malware previously associated with the Iran-linked threat actor known as Tortoiseshell.

LEMPO, Proofpoint explains, is a Visual Basic script designed for reconnaissance. It can enumerate the host, collect data (date and time, computer name, system information, drives, installed applications, and user details), and exfiltrate it to an attacker-controlled email account using Microsoft’s Collaboration Data Objects (CDO).

The Marcella Flores persona employed in this campaign showed similarities with other fictitious profiles that known Iran-linked threat actors have used in operations targeting individuals of interest. Using Marcella’s persona, the adversary befriended several defense contractor employees.

On July 15, Facebook announced that it took action against Tortoiseshell. The Marcella Flores persona was removed from the social media platform at that time. According to Proofpoint, while TA456’s activity overlaps Tortoiseshell and Imperial Kitten operations, the adversary should be tracked separately.

“This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations. […] TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats,” Proofpoint notes.

Related: Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Related: US Takes Down Iran-linked News Sites, Alleges Disinformation

Related: Iran Used Fake Instagram Accounts to Try to Nab Israelis: Spy Agencies