Iran-based group, TA456, posed as an instructor of aerobics for around a year. During this time, they tried to spread malware that has been detected. Their main target was to infect an employee’s system, belonging to the aerospace defense contractor.
The attackers posed as Marcella Flores, a media persona for the purposes of developing a relationship with an employee who was working in a firm of aerospace defense contractors. They used this to spread targeted malware which has purposes like establishing persistence using the chain of communication through email. The group is suspected to have connections with Islamic Revolutionary Guard Corps (IRGC) and Iranian IT firm Mahak Rayan Afraz (MRA).
What’s Happening?
Proofpoint, a cybersecurity firm, has connected this clandestine operation to TA456, a govt-sponsored hacker group. In the security field, this organization is also called Tortoiseshell and Imperial Kitten.
- Attackers used the media persona ‘Marcella Flores’ to establish contact (through corporate communication channels) with an employee of an aerospace defense contractor’s subsidiary business.
- The attacker attempted to exploit this relationship in early June by transmitting a targeted malware, Lempo, over an ongoing email conversation chain.
- The virus is capable of establishing persistence, gathering sensitive information, and conducting reconnaissance.
- The current attempt began with an email including a OneDrive URL that purported to be a diet survey. It included a macro-enabled Excel sheet that was used to retrieve the espionage tool from an URL controlled by the hacker.
- The attackers are said to be inextricably linked to the Islamic Revolutionary Guard Corps (IRGC). Also, the gang is accused of being linked to the Iranian IT business Mahak Rayan Afraz (MRA).
Past Records Of TA456
These kinds of attacks are not new. There were several cases where the attackers were using the disguise of persona to achieve their target. Tortoiseshell target a huge number of military personnel in sectors such as defense and aerospace sectors. These attacks targeted individuals by using networks of fake personas on their platforms.
Conclusion
The attacks have pointed out that TA456 has a clear interest in the defense sector. These sophisticated attacks are difficult to evade. Evasion is possible when the organizations put equal or greater effort towards the protection of the organization’s cyberspace.