Canada’s foreign communications intelligence agency is warning the public about the increasing number of Iranian cyber schemes targeting a wide range of Canadian professionals.
Iranian “cyber threat actors” are focusing on specific targets with the goal of obtaining information that holds political, economic, or military significance for Iran, according to a report from the Communications Security Establishment Canada (CSE).
These Iranian state actors create fake accounts with “credible, attractive personas” on multiple social media platforms to connect with individuals from a wide variety of professional fields such as defence contractors, aerospace employees, energy sector employees, politicians, diplomats, and civil society groups, the report said. They have also been known to target academics, activists, researchers, and journalists.
“Social media interaction with people we don’t know in real life has become so normalised, it may be hard to imagine but there are real threats out there,” Canadian Centre for Cyber Security Associate Head Bridget Walshe said in a press release. “These accounts might be fake, but the threat is real.”
Iranian cyber threat actors typically use attractive female personas to manipulate their targets, the report noted. In one instance, the Iranian hacker used a false persona to pose as a female aerobics instructor and personal trainer. Operating under the alias Marcella Flores, the hacker cultivated a relationship with an employee of an aerospace defence contractor that lasted for several months.
The counterfeit persona nurtured the online relationship across various corporate and personal communication channels. The person behind the account then introduced malware into the target’s computer system using a malicious Excel spreadsheet that was disguised as a harmless “Diet Survey” file.
Iranian cyber threat actors also employ personas to establish trust with their targets by expressing shared concerns related to significant traumatic events and tragedies.
One example laid out in the report was a fake campaign related to the Israel–Hamas conflict. The Iranian hackers created a fake website for the “Bring Them Home Now” movement, calling for the return of Israeli hostages held by Hamas. The website used to lure in targets eventually led them to download a malicious payload.
These bad actors are also known to impersonate recruiters and employees from companies in the regions where their victims reside, presenting them with potential job opportunities.
These operations generally focus on U.S. defence contractors located in the Middle East, as well as subcontractors linked to major defense firms, the report said.
“Given Iranian cyber threat actors’ tendencies to appeal to those interested or involved in current events, these social engineering techniques could be combined with Iran’s cyber-enabled information operations,” the report said.
“Iranian cyber threat actors have employed information operations during the Covid-19 pandemic and increased such operations since the onset of the Israel-Hamas war in October 2023.”
This type of campaign is known as a social engineering attack or human hacking, the CSE said. Examples of social engineering attacks include honey traps, scareware, and promises of quid pro quo. They also use various types of phishing attacks.
The CSE warns against unsolicited communications with attachments, hidden links, spoofed websites, malicious QR codes, login pages, urgent requests, messages using threats or urgent language prompts to demand personal or sensitive information, and callers who claim to be government officials or bank representatives.