Iranians hack into UK defence company by posing as an AEROBICS instructor

Classified documents that are allegedly from Iran have revealed secret research into potential Western cyber attacks, while a separate report has found hackers posed as a glamourous Liverpool-based aerobics instructor in an attempt to gain access to a UK aerospace defense company. 

According to the cache of internal documents obtained by Sky News, research was being undertaken into how a cyber attack could be used to sink a cargo ship and blow up a fuel pump at a petrol station.

The files also show research was being done into satellite communication devices employed by global shipping companies and smart-home-like technology that controls things such as lights, heating and ventilation in buildings worldwide.

Western countries, including the UK, France and the United States appear to be of particular interest in the papers that have allegedly been put together by an offensive cyber unit called Shahid Kaveh, according to Sky News’ sources.

Shahid Kaveh is part of Iran’s secretive elite Islamic Revolutionary Guard Corps’ (IRGC) cyber command.  

Citing someone with knowledge of the 57-page dossier, the news network said the work is proof of efforts by Iran to gather intelligence on civilian infrastructure that could be used to identify future targets open to cyber attacks. 

The unnamed source told Sky News that they were ‘very confident’ the documents were authentic, with other sources adding that the documents ‘looked credible and interesting,’ according to the network’s extensive report.

Five documents in total, the papers said they had been written by ‘Intelligence Team 13.’ Each is shown to begin with a quote by Iran’s Supreme Leader Ayatollah Ali Khamenei.

‘The Islamic Republic of Iran must become among the world’s most powerful in the area of cyber,’ the quote reads.

According to the cache of internal documents obtained by Sky News , research was being undertaken into how a cyber attack could be used to sink a cargo ship and blow up a fuel pump at a petrol station

According to the cache of internal documents obtained by Sky News , research was being undertaken into how a cyber attack could be used to sink a cargo ship and blow up a fuel pump at a petrol station

According to the cache of internal documents obtained by Sky News , research was being undertaken into how a cyber attack could be used to sink a cargo ship and blow up a fuel pump at a petrol station

Another file showed details and photos of automatic tank gauges that keep track of fuel flow at petrol stations

Another file showed details and photos of automatic tank gauges that keep track of fuel flow at petrol stations

‘They are creating a target bank to be used whenever they see fit,’ the source was quoted as saying by Sky News. Intelligence Team 13 ‘are supposed to be rather clandestine. They work on offensive cyber operations globally,’ he added.

However, the research included in the document appeared to be based on open sources and internet searches, rather than through gaining access to privelidged information on specific targets, according to Sky.

One of the documents appeared to show a diagram of a system designed to keep cargo skips balanced when they tilt in the water.

‘These pumps are used to bring water into the tanks through centrifuges and in order to operate correctly, the task must be completed with precision. Any problems could result in the sinking of the ship,’ the document said.

‘Any kind of disruptive influence can cause disorder within these systems and can cause significant and irreparable damage to the vessel.’

One of the documents appeared to show a diagram of a system designed to keep cargo skips balanced when they tilt in the water

One of the documents appeared to show a diagram of a system designed to keep cargo skips balanced when they tilt in the water

'Any kind of disruptive influence can cause disorder within these systems and can cause significant and irreparable damage to the vessel,' the document said

‘Any kind of disruptive influence can cause disorder within these systems and can cause significant and irreparable damage to the vessel,’ the document said

Another file showed details and photos of automatic tank gauges that keep track of fuel flow at petrol stations.

‘[An] explosion of these fueling pumps is possible if these systems are hacked and controlled remotely,’ it said. It also noted that that an attack could cut fuel supply.

In another document, satellite communication devices used at sea called Seagull 5000i and Sealink CIR were examined. 

British Defense Secretary Ben Wallace commented on the report to Sky, saying that unless steps are taken to counter the threat of such potential cyber attacks, ‘our critical national infrastructure, our way of life could be threatened quite easily.’

British Defense Secretary Ben Wallace commented on the report to Sky, saying that unless steps are taken to counter the threat of such potential cyber attacks, 'our critical national infrastructure, our way of life could be threatened quite easily'

British Defense Secretary Ben Wallace commented on the report to Sky, saying that unless steps are taken to counter the threat of such potential cyber attacks, ‘our critical national infrastructure, our way of life could be threatened quite easily’

Britain’s military cyber chief Patrick Sanders warned Iran was ‘among the most advanced cyber actors. We take their capabilities seriously. We don’t overstate it. They are a serious actor and they have behaved really irresponsibly in the past.’

In a separate report, it was revealed that Iranian hackers for years posed as a glamorous aerobics instructor in a bid to gain the trust of employees of a UK aerospace defence company, in an attempt to infect its system with viruses.

Hackers used the name Marcella Flores, set up a fake Facebook account, and flirted and shared photographs with employees to persuade them she was genuine.

Hackers used the name Marcella Flores, set up a fake Facebook account (pictured), and flirted and shared photographs with employees of a UK aerospace defence company persuade them she was genuine

Hackers used the name Marcella Flores, set up a fake Facebook account (pictured), and flirted and shared photographs with employees of a UK aerospace defence company persuade them she was genuine

‘Marcella,’ given the codename TA456, enabled the hackers to infect employees’ IT systems with the virus Liderc – malware that is capable of spying and gathering information such as usernames and passwords before existing the system while covering its tracks.

The plot was uncovered by Proofpoint Inc, a California based security and tech company, which specialises in email and cyber security, with a particular focus on social media.

‘Marcella’ was sending flirty emails, photos and even a video to one employee as early as 2019, with the fake Facebook profile dating back to May 30, 2018.

The ‘woman’ claimed that she worked at Liverpool’s Harbour Health Club, and had studied at the University of Liverpool.

After attempts were made to gain the trust of their target, the hackers would send a fake survey about pandemic eating habits and diets. Unbeknownst to them, the link and email – signed ‘Marcy’ – was teeming with malware.

Proofpoint said Facebook had previously disrupted a similar network of personas thought to be controlled by the hackers and TA456, saying it believed the group to be ‘loosly alligned’ to the Islamic Revolutionary Guard Corps (IRGC) via a Tehran-based IT company Mahak Rayan Afraz.

In its blog post, the company said its researchers ‘have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456.

Pictured: One of the emails sent from 'Marcella Flores' to employees of a UK aerospace defence company in an attempt to get them to click on the link, that would infect their IT devices with malware

Pictured: One of the emails sent from ‘Marcella Flores’ to employees of a UK aerospace defence company in an attempt to get them to click on the link, that would infect their IT devices with malware

After attempts were made to gain the trust of their target, the hackers would send a fake survey about pandemic eating habits and diets. Unbeknownst to them, the link and email - signed 'Marcy' - was teeming with malware

After attempts were made to gain the trust of their target, the hackers would send a fake survey about pandemic eating habits and diets. Unbeknownst to them, the link and email – signed ‘Marcy’ – was teeming with malware

‘Using the social media persona ‘Marcella Flores’, TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defence contractor,’ it added.

‘In early June 2021, the threat actor attempted to capitalise on this relationship by sending the target malware via an ongoing email communication chain.’

”Marcella (Marcy) Flores’ was conversing with the targeted aerospace employee since at least November 2020 and was friends with them on social media since at least 2019.

‘Besides the Gmail account used for attempted malware delivery, Marcella maintained a now suspended Facebook profile.’

The company also noted that TA456 is also known by other aliases, such as Tortoiseshell and Imperial Kitten.

Earlier this month, Facebook said it had deleted a number of accounts operated by Iranian hackers, who were spreading malware and carrying out spying operations on the internet, largely targeting the US. 

It said that the group – known as Tortoiseshell – had appeared to shifted its focus from the Middle East’s IT industry to other industries around the world.  

Read more at DailyMail.co.uk