Iranian state actor ‘Marcy’ used Facebook to spy on US military personnel


An Iranian state actor spent years pretending to be someone called “Marcella Flores” in an attempt to spy on a U.S. aerospace defense contractor.

A new report from cybersecurity company Proofpoint identified the actor as part of state-sponsored espionage against defense “industrial base” contractors doing work related to the Middle East.

Identified as TA456, the state actor first established a relationship with an employee at a subsidiary of the defense contractor. Then, in early June 2021, attempted to “capitalize on this relationship” by sending the employee malware as part of an “ongoing email communication chain,” according to Proofpoint.

An Iranian state actor spent years pretending to be someone called “Marcella Flores” in an attempt to spy on a U.S. aerospace defense contractor. (Proofpoint)

TA456 is also associated with espionage activity known as both Tortoiseshell and Imperial Kitten.

Over a period of at least eight months, TA456, going by the name of Marcy or Marcella, sent “benign email messages, photographs, and a video to establish her veracity and build rapport…At one time, TA456 attempted to send a benign, but flirtatious video via a OneDrive URL,” the report said.


The objective was to infect the employee’s machine with malware dubbed LEMPO to perform reconnaissance and steal sensitive information, Proofpoint said. Once the malware is active, it saves the reconnaissance details to the host, sends sensitive information to a state actor-controlled email account, and then deletes files to cover its tracks, the report said.

Marcella gets friendly on Facebook

In addition to a Gmail account, Marcella maintained a now-suspended Facebook profile, the report said.

A Facebook profile photo was uploaded on May 30, 2018 and Marcella began interacting with the employee on social media in late 2019. 

The profile is very similar to fictitious profiles previously used by Iranian state actors, the report said.

“The ‘Marcella’ profile appeared to be friends with multiple individuals who publicly identify as defense contractor employees and who are geographically dispersed from ‘Marcella’s’ alleged location in Liverpool, UK,” the report said.


“While targeting defense contractors is not new for TA456, this campaign uniquely establishes the group as one of the most determined Iranian-aligned threat actors tracked by Proofpoint,” the report said, adding that targeting U.S. defense contractors connected to contracts in the Middle East “is consistent with historical Iranian cyber activity.”

Facebook addressed the broader campaign in a post earlier this month.

“In an apparent expansion of malicious activity to other regions and industries, our investigation found them targeting military personnel and companies in the defense and aerospace industries primarily in the U.S., and to a lesser extent in the UK and Europe,” the company said in a statement. “This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage.”



Read original article here

Denial of responsibility! Vigour Times is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Leave a comment
Enable Notifications OK No thanks