Hackers posed as flirtatious UK aerobics instructor while targeting US defense contractor’s employee

Cybersecurity researchers said that hackers with ties to the Iranian government targeted U.S. defense contractors in attempts to install malware, including by posing as a United Kingdom-based aerobics instructor. 

Security software firm Proofpoint said in a Wednesday report that researchers had identified “a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456,” also known as “Tortoiseshell.” 

The California-based cybersecurity firm said that “TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor,” by using the social media persona “Marcella ‘Marcy’ Flores.”

According to Proofpoint, the hackers portrayed Flores as an aerobics instructor and a graduate of the University of Liverpool, and that over a period of at least eight months, Flores “sent TA456’s target benign email messages, photographs, and a video to establish her veracity and build rapport with the intended victim.” 

“At one time, TA456 attempted to send a benign, but flirtatious video via a OneDrive URL,” Proofpoint said, adding that in early June 2021, a TA456 actor who identified as “Marcy” sent another OneDrive link disguised as a diet survey. 

Proofpoint included a screenshot in its report of the now-suspended Facebook profile of Flores, which the firm alleged was used by Iran-backed hackers to communicate with the targeted aerospace employee and other contract workers since at least November 2020. 

The firm noted that its security software was able to block the hackers’ links to malicious files, though it was unclear if the hackers were able to successfully obtain any data through the campaign. 

The report comes just weeks after Facebook said that it had disrupted efforts by Tortoiseshell to target U.S. military personnel and the defense industry in other countries, including in the U.K. and throughout Europe. 

Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and David Agranovich, director of threat disruption at the company, said in a statement at the time that the reported activity “had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it.” 

In a statement to Bloomberg News Wednesday, Sherrod DeGrippo, Proofpoint’s senior director of threat research and detection, said that the campaign “demonstrates that even after an individual is targeted by a persona, it can take months or years for TA456 to attempt to deliver malware.” 

The thwarted campaigns come amid increased concerns about targeted malware attacks on the U.S. and other countries by Iranian and Russian groups.

Facebook revealed in May that a third of the 150 networks that the company shut down between 2017 and 2020 for “coordinated inauthentic behavior” came from Iran or Russia.