Iranian Espionage Campaign Hinges on Beautiful (But Fake) Woman

An APT actor believed to be backed by the Iranian state is using an elaborate fake persona—a beautiful young woman—to lure victims on social media.

The fictional person, named Mia Ash, is a linchpin in espionage campaigns from a group known as Cobalt Gypsy, targeting several entities in the Middle East and North Africa (MENA), with a focus on Saudi Arabian organizations. The focus is on firms in telecommunications, government, defense, oil and financial services, with Cobalt Gypsy identifying individual victims through social media sites, according to Dell SecureWorks.

At the core of this is a well-established collection of fake social media profiles for Mia Ash that are intended to build trust and rapport with potential victims, while performing reconnaissance on employees of targeted organizations.

In one example of the gambit, Mia Ash (a purported London-based photographer) used LinkedIn to contact an employee at one of the targeted organizations, stating that the inquiry was part of an exercise to reach out to people around the world. Over the next several days, the individuals exchanged messages about their professions, photography and travels. Mia then encouraged the employee to add her as a friend on Facebook and continue their conversation there, noting that it was her preferred communication method. The correspondence continued via email, WhatsApp and Facebook for weeks, until Mia sent a Microsoft Excel document, Copy of Photography Survey.xlsm, to the employee's personal email account. Mia encouraged the victim to open the email at work using their corporate email account so the survey would function properly. The survey contained macros that, once enabled, downloaded PupyRAT, an open-source cross-platform remote access trojan (RAT).

Further analysis revealed that the connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016.

Most victims are mid-level employees in technical (mechanical and computer) or project management roles with job titles such as technical support engineer, software developer and system support, Dell said.

“These job titles imply elevated access within the corporate network,” the firm said in an analysis. “By compromising a user account that has administrative or elevated access, threat actors can quickly access a targeted environment to achieve their objectives. The individuals' locations and industries align with previous Cobalt Gypsy targeting and Iranian ideological, political and military intelligence objectives.”

The fake persona attack vector is not a new one—as far back as 2009 a researcher named Thomas Ryan created Robin Sage as an experiment, a fictional 25-year-old cyber threat analyst at the Naval Network Warfare Command in Norfolk, Va. Using several accounts on popular social networks like Facebook, LinkedIn, Twitter and others, Ryan as Sage contacted nearly 300 people, most of them security specialists, military personnel, staff at intelligence agencies and defense contractors. People bought it—she was offered consulting work with notable companies Google and Lockheed Martin and had several invitations to speak at conferences.

Meanwhile, Ryan gained access to email addresses and bank accounts as well as learning the location of secret military units based on soldiers' Facebook photos and connections between different people and organizations. Sage was also given private documents for review.

Earlier this year, Israel Defense Force (IDF) soldiers were targeted in an espionage campaign by Hamas using Facebook friend requests purporting to be from attractive women. To sweeten the pot, these “ladies” sent multiple messages expressing their interest, along with photos—though the photos were cribbed from other, legitimate Facebook profiles. After chatting enough to convince the soldier that she’s real, the person on the other end asks the soldier to video chat.

“But all the [existing video] apps he has won’t work for her—she needs him to download another one,” the IDF described in a blog. “She sends him a link to an app [in a third-party app] store called ‘apkpk.’ He downloads the app she requested. The app isn’t working, not for the soldier, at least. He tries to tell the pretty girl on the other end, but she won’t respond.”

Validating a user's authenticity prior to accepting social media connection requests can mitigate threats posed by threat actors leveraging fake personas.

What’s Hot on Infosecurity Magazine?