According to research published Thursday, luring men working in industries strategically important to Tehran’s regional adversaries, hackers believed to be working for the Iranian government have impersonated a young female photographer on social media for more than a year.
Researchers at Dell SecureWorks said that since at least April of last year, on sites including LinkedIn, Facebook Inc, WhatsApp and Blogger the so-called Mia Ash persona has been active.
To ensnare its targets with a “honey pot”, a classic espionage trap often involving seduction, more commonly used by criminal hackers, Iran engaged in a social engineering plot. the campaign showed.
Matching malware sent by Iranian hacking group Cobalt Gypsy during an unsuccessful “spearphishing” email attempt to the same victim’s employer in January, Dell SecureWorks observed Mia Ash sending specific malware, concealed as a “photography survey” with an attachment, to a victim.
Government espionage was suggestive of the modus operandi because an attacker would get complete control of a compromised computer and access to network credentials by the malware, known as PupyRAT. Visibility into what Mia Ash sought to gain with the access or how many targets were compromised was not available with the researchers.
Dell Secure Works said that to create an identity of an attractive woman in her mid-twenties who lived in London and enjoyed travel, soccer, and popular musicians including Ed Sheeran and Ellie Goulding, the fake profile used publicly available social media images of a real photographer based in eastern Europe. Details from a New York photographer’s LinkedIn profile appeared to have been lifted in her social media biographies.
Mia Ash was created and operated by the Iranian hacking group known as Cobalt Gypsy, Dell SecureWorks said it was very confident.
There were no comments from Iranian authorities.
Middle-aged men who worked as technicians and engineers at oil and gas, aerospace and telecommunications firms in the Middle East were the primary targets of Mia Ash these targets had been previously targeted by the same group. In addition to India and the United States, those include Saudi Arabia and Israel.
According to Allison Wikoff, a senior security researcher at Dell SecureWorks who tracked Mia Ash’s activity, Mia Ash’s victims failed to notice that none of her profiles included a way to contact her for photography services.
“These guys aren’t hiring her for photography,” Wikoff said. “Their main thing is, ‘Wow, she’s young, she’s cute, she likes to travel, she’s whimsical’.”
Wikoff said that before Dell SecureWorks finished its research, LinkedIn removed the fake Mia Ash profile.
After being contacted by Dell SecureWorks, the profile was taken down from Facebook, where Mia Ash listed her relationship status as “it’s complicated.”
In order to pose as recruiters at major companies, including Northrop Grumman Corp and General Motors Co. Cobalt Gypsy, also known as OilRig, has been previously accused of operating a network of fake LinkedIn profiles. Wikoff however said that an elevated level of persistence was shown by the Mia Ash persona.
Along with Russia, China and North Korea, Iran has been considered to be among the most sophisticated nation-state cyber adversaries for years by Western security officials.
(Adapted from CNBC)