Security News

In a new report, Proofpoint details how the group TA456, associated with the Iranian Revolutionary Guard, invested years in developing the false profile of a fantasy woman named Marcella Flores, an impossibly shiny haired aerobics instructor from the U.K., to rein in unsuspecting targets. Starting about eight months ago, Proofpoint found TA456 used the Marcella Flores profile to slowly build a relationship with someone who worked for a subsidiary of an aerospace defense contractor in the U.S. Over the months, Marcella shared many emails, pictures and even a video to build trust.

An attack earlier this month on Iran's train system, which disrupted rail service and taunted Iran's leadership via hacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have been design for reuse, a security researcher has found. The initial attack, dubbed MeteorExpress, occurred July 9, when "a wiper attack paralyzed the Iranian train system," according to a report by Juan Andres Guerrero-Saade at Sentinel Systems.

A cyber attack that derailed websites of Iran's transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called "Meteor." The campaign - dubbed "MeteorExpress" - has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm Amn Pardaz and SentinelOne.

A new file wiping malware called Meteor was discovered used in the recent attacks against Iran's railway system. Unlike ransomware attacks, destructive wiper attacks are not used to generate revenue for the attackers.

Following cryptic reports of a malware attack that paralyzed the Iranian train system on July 9, SentinelOne threat hunters reconstructed the attack chain and discovered a destructive wiper component that could be used to scrub data from infected systems. In a research paper, SentinelOne threat hunter Juan Andres Guerrero-Saade said the never-before-seen wiper was developed in the past three years and appears designed for reuse in multiple campaigns.

Iranian state-backed hackers posed as a flirty Liverpudlian aerobics instructor in order to trick defence and aerospace workers into revealing secrets, according to a newly-published study. Researchers from Proofpoint said this morning they had uncovered a fake social media account being operated by state-backed Iranians, tracked internally by the enterprise security firm as TA456.

An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports. The newly detailed activity attributed to the group involved the use of the social media persona "Marcella Flores," which was used to engage with an employee of a subsidiary of an aerospace defense contractor over multiple communication platforms, to gain their trust in an attempt to infect them with malware.

More details on the cyberattack on Iran's railroad system emerged over the weekend. According to Iran International, "The number might belong either to the office of President Hassan Rouhani or Supreme Leader Ali Khamenei. It is not clear if hackers have posted the information or the authorities." It would be reasonable to assume that the attack was at least partly designed to embarrass the incoming new hardline president, Ebrahim Raisi, before he takes over from the moderate Hassan Rouhani next month.

Facebook on Thursday disclosed it dismantled a "Sophisticated" online cyber espionage campaign conducted by Iranian hackers targeting about 200 military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using fake online personas on its platform. The social media giant pinned the attacks to a threat actor known as Tortoiseshell based on the fact that the adversary used similar techniques in past campaigns attributed to the threat group, which was previously known to focus on the information technology industry in Saudi Arabia, suggesting an apparent expansion of malicious activity.

Recent activity that Facebook associated with the group focused on military personnel, defense organizations, and aerospace entities primarily in the United States and, to a lesser extent, the U.K. and Europe, showing an escalation of the group's cyberespionage activities. Today, Facebook revealed that it took action against similar attacks from the Iranian hacking group, which leveraged its online platform to lure victims into downloading malware.