TA456 Threat Actor Targeting Aerospace Employees Posed as Aerobics Instructors for Years

TA456 Threat Actor Targeting Aerospace Employees Posed as Aerobics Instructors for Years

An Iranian cyberespionage group tried to infect an employee of an aerospace defense contractor with cyber espionage malware. In a campaign that has been lasting for years, the threat actor acted as an aerobics instructor on Facebook to build trust with the victims.

Security firm Proofpoint has identified a covert operation it believes is carried out by a state-aligned threat actor. The firm said the actor is known as TA456 and under such other monikers as Tortoiseshell and Imperial Kitten.

Proofpoint said TA456 built a relationship with an employee of an aerospace defense contractor and then targeted them with malware:

“Using the social media persona ‘Marcella Flores,’ TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor,” Proofpoint said in a report shared with The Hacker News. “In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain.”

TA456 was a subject of another incident this month when Facebook revealed that it disrupted a sophisticated campaign by the hacker group Tortoiseshell targeting of hundreds of military personnel and companies in the U.S., U.K., and Europe. The company also identified and removed fake accounts of the attackers.

The TA456 organization is believed to be affiliated with the Iranian Revolutionary Guard Corps’ Islamic Revolutionary Guard Corps via the Iranian IT company Mahak Rayan Afraz (MRA).

According to Proofpoint, the TA456 threat actor created an elaborate fake persona to communicate with an aerospace employee, who was later infected with a type of malware known as LEMPO to perform reconnaissance and exfiltrate sensitive information.

The infection chain was initiated by an email that contained a macro-embedded Excel document disguised as a diet survey. The malicious script secretly accessed an attacker-controlled domain.

“TA456 demonstrated a significant operational investment by cultivating a relationship with a target’s employee over years in order to deploy LEMPO to conduct reconnaissance into a highly secured target environment within the defense industrial base,” Proofpoint researchers said. “This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.