Stuart Davis, a director at FireEye’s speaks to journalists about the techniques of Iranian hacking, Sept. 20, 2017, in Dubai, UAE. (AP))

July 29, 2021

A group of Iranian hackers posed as aerobics instructors from Liverpool, UK, and sent flirtatious messages in an attempt to steal sensitive information from defense and aerospace industry personnel.

The hackers’ false identities were exposed by Facebook and the cybersecurity company Proofpoint, which said the operation proves the effort that Iran is putting into targeting individuals of interest.

A fake Facebook page that was controlled by an Iranian hacker, according to reports. (Screenshot)

A fake Facebook page that was controlled by an Iranian hacker, according to reports. (Screenshot)

The hackers have been identified as part of the TA456 group, which also goes by the name of Tortoiseshell — a group widely believed to be aligned with the Islamic Revolutionary Guard Corps.

Proofpoint described the group as “one of the most determined Iranian-aligned threat actors” that it tracks, due to tactics of spending months or years building up a relationship with targets across various platforms, as well as its “general persistence.”

The operatives created fake Facebook, Instagram and email accounts for a woman named Marcella Flores. She was depicted as a smiling, tanned and dark-haired Spanish woman working as a fitness instructor in Liverpool. They created a fake education and work history for her.

Proofpoint said that Flores would target people who publicly identified themselves as employees at defence contractors on social media accounts, befriending them before starting up a conversation.

In one case, she sent the target benign messages and photographs, as well as a “flirtatious” video to build a rapport, before later sending a link to a dietary survey but that in fact contained a malware download that would steal usernames, passwords and other data.

Proofpoint did not say whether the attacks were successful, but if they were, the stolen information could be used to gain access to larger aerospace companies that the original target was a subsidiary or contractor for.

Facebook banned her account and that of several others earlier this month, saying that they were all fake online personas created by the Iranian operatives to “conduct espionage operations across the internet.”

Facebook said: “Our investigation found them targeting military personnel and companies in the defence and aerospace industries primarily in the US, and to a lesser extent in the UK and Europe.”

When the comprehensive campaign was revealed, Amin Sabeti, an expert in Iranian cyber-operations, told Arab News that the strategy — which he dubs “social engineering” hacking — is a go-to tactic for Iranian operatives, or those working on behalf of the state.

“It’s the same pattern that Iranian state-backed hackers have been following for years,” he said.

Sabeti explained that they rely on manipulating targets into providing sensitive information or account details that can then be exploited for their gain — and, since they are operating from Iranian soil, “they have the consent of the regime.”

Sabeti said: “It’s easy, cheap, there’s plausible deniability and it works, it’s effective.”

Arab News

About Track Persia

Track PersiaTrack Persia is a Platform run by dedicated analysts who spend much of their time researching the Middle East, in due process we fall upon many indications of growing expansionary ambitions on the part of Iran in the MENA region and the wider Islamic world. These ambitions commonly increase tensions and undermine stability.