Iran-sponsored cyberspies have leveled up their techniques, using fake personas of real people to add credibility to the phishing emails designed to deliver malware. 

According to a Wednesday report by Security firm Proofpoint, Iran-aligned espionage threat actor TA453 deployed a social engineering impersonation technique, informally called Multi-Persona Impersonation, in mid-2022 in which the threat actor uses at least two stolen or hijacked personas on a single email thread to convince targets of the legitimacy of the campaign. The personas used are real people that the target knows and trusts.

TA453 historically targeted academics, policymakers, diplomats, journalists, and human rights workers, and would engage in one-to-one conversations with the targets but this changed since they started the new technique. For example, the actors included a variety of questions intended to generate a dialogue about Israel, the Persian Gulf States, and the Abraham Accords, while these questions are generally meant to establish a pretext for sending a follow-up credential harvesting link or to deliver a malicious document.

The company’s researchers said they observed the activities of TA453 throughout late 2021 and through 2022 – which overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42 – noting that TA453 innovated its approach in a quest to fulfill its intelligence priorities. In late June 2022, this evolution resulted in campaigns utilizing what Proofpoint calls Multi-Persona Impersonation (MPI), a new subset of impersonation. 

The security firm described the method as “an intriguing technique” because it requires more resources be used per target -- potentially burning more personas -- and a coordinated approach among the various personalities in use by TA453.