Dubai: The US-based information security services provider SecureWorks has uncovered an intricate “female honey pot” cyber espionage campaign being carried out by an established Iranian cyber espionage hacking group — nicknamed Cobalt Gypsy (a.k.a. OilRig).
By using the “honey pot”, the group successfully lured US, Indian and Saudi, IT security, technology, oil and gas and aerospace male executives to reveal confidential data.
SecureWorks’ Counter Threat Unit (CTU) intelligence analyst Allison Wikoff, told Gulf News that the men believed they were contacting a young and attractive female photographer named — Mia Ash. In reality, the female persona was created by the cyber threat group by using stolen personal photos, professional credentials, and other biographical data of two actual women. The groups also created multiple and expansive social media accounts for the non-existent persona, to make “her” more real.
The investigation uncovered the numerous resources associated with the Mia Ash persona including accounts on LinkedIn, Facebook, Blogger, WhatsApp and several email addresses.
Wikoff asserted that this group is associated with Iranian government-directed cyber operations. Specifically, this group has been observed launching espionage campaigns against organisations that are of strategic, political or economic importance to Iranian interests.
CTU had informed LinkedIn about the account in March this year and it was subsequently shut down but can appear in different forms.
In 2015, the CTU exposed an elaborate LinkedIn campaign conducted by OilRig to con their victims. OilRig was cited earlier this year for going after numerous private and government organisations in the US, Europe and the Middle East.
Wikoff said that, in January and February this year, CTU observed phishing campaigns targeting several entities in the Middle East and North Africa (Mena) with a focus on Saudi Arabian organisations.
When initial email phishing campaigns were unsuccessful, CTU researchers observed highly targeted spear-phishing and social engineering from Mia Ash.
The connections contained within these profiles indicate targeting of various organisations dating back to April 2016.
Hidden in the attachments was PupyRAT, an open source remote access trojan (Rat) that works across multiple platforms.
The observed phishing messages sent by Cobalt Gypsy over the past 12 months including the Mia Ash activity contained weaponised Microsoft Office documents.
Both IBM and Palo Alto have theorised that the PupyRAT malware was the initial infection vector for the destructive Shamoon attacks, which wiped out numerous computers of many large Middle Eastern companies and government organisations in November 2016 and January 2017.
Early attacks last year focused on Middle Eastern banks, government entities and critical infrastructure entities but they have expanded their targets both geographically and by industry over time.
In October 2016, attacks targeted companies in the US, government organisations, companies and government-owned companies in Saudi Arabia, the UAE and Turkey.
“Cobalt Gypsy will employ well-established social media personas and correspond via multiple social media, messenger and email based platforms to establish rapport with their target demonstrating creativity, resourcefulness and persistence in their approach,” she said.
CTU researchers reviewed a sample of connections associated with the Mia Ash LinkedIn profile that fell into two broad categories — photography and non-photography profiles. Analysis indicated the photography connections were likely made to make the Mia Ash profile appearance authentic.
The non-photography endorsers were located in the Saudi Arabia, the US, Iraq, Iran, India and Bangladesh working for technology, oil and gas, health care, aerospace and consulting organisations. These connections were mid-level employees in technician (mechanical and computer) or project managerial type roles with job titles like technical support engineer, software developer and system support.
Several of Mia Ash’s connections on LinkedIn matched names of people associated with the Mia Ash Facebook page. It is likely the LinkedIn and Facebook overlapping names are accounts associated with one person, and that these people are targets of the persona.
CTU researchers have observed numerous Cobalt Gypsy campaigns over the past two years, including an extensive campaign in 2015, whereby they created 25 fake LinkedIn profiles for employees of prominent companies in the Middle East and the world, many of them with 500 or more connections.
“Many of these fake employee profiles purported to be employment recruiters for such global companies as Northrop Grumman, Teledyne, etc, so that they could convince their targets to fill out employment applications,” Wikoff said.
Steps to prevent attacks
• Organisations should routinely educate their staff on social engineering schemes and strongly discourage connecting with online entities that are not validated through real-world relationships.
• The deployment of an endpoint solution and monitor is recommended for anomalous activity generated by malware like PupyRAT.
• Organisations need to have clear social media guidance for their employees and instructions for how employees should report potential phishing messages received through personal email, corporate email and social media platforms.
• Guidance should include recommendation for reporting any attempts by an unknown third party to request information about an employer, their IT or business systems or to carry out some sort of action within the work place like opening a document or visiting a website.
• Organisations need to disable macros in Microsoft Office products to prevent attacks that leverage this functionality.
