Attacks/Breaches

7/31/2017
05:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Iranian Hackers Ensnared Targets via Phony Female Photographer

US, Indian, Saudi Arabian, Israeli, Iraqi IT, security, executives in oil/gas and aerospace swept up in elaborate social media ruse used for cyber espionage operations.

She's a London-based young professional photographer, an Arsenal FC fan, and she's interested in learning more about the region where her LinkedIn, Facebook, and Blogger connections live. Her relationship status on Facebook: "It's complicated."

Meet "Mia Ash," a phony but apparently very convincing online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets. The highly detailed and creative social engineering ruse employs "Mia" as the lure in order to ultimately drop information-stealing spy malware onto the victim's machine.

Researchers at SecureWorks last week at Black Hat USA in Las Vegas published a report on their findings of this attack campaign, which began in January of this year, first as a pure phishing campaign that soon evolved with Mia Ash's phony LinkedIn, Facebook, and blog accounts to further social-engineer the targets and earn their trust.

The so-called Oil Rig, aka Cobalt Gypsy, hacking team hit petroleum giant Saudi Aramco in 2012 with a massive attack that damaged or wiped the hard drives of some 25,000 of the oil company's computers. The same attackers came back with fresh Shamoon attacks hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

"This is the most active Iranian group we're aware of," says Allison Wikoff, lead researcher on the so-called Mia Ash research by SecureWorks. "We see infrastructure on a weekly basis and new activity all the time" by them, she says.

SecureWorks believes that Mia Ash may be just one of several personas used by the group to gather intel on their targets, mainly energy firms and technology companies in the Middle East. The company has been tracking OilRig/Cobalt Gypsy since 2015, when they first spotted them creating a network of phony LinkedIn profiles

While the researchers weren't able to determine the specific information the attackers were going after via the Mia persona attacks, they spotted them attempting to obtain the user's network credentials.

Once Mia and her connections had established their social media relationship, the attackers sent a phishing email to the target. That included a rigged attachment with enabled Macros to install PupyRAT, which gives an attacker full access to the targeted machine.

Wikoff says her team believes this was just the early stages of the full attack. The first stage is to get the targeted individual's credentials via PupyRAT, which would give the attackers a foothold in the target's organization. It's unclear if Shamoon data-wiping would be next in the attack chain, but it's a "plausible hypothesis," she says.

Some of the targets moved their communique with "Mia" to WhatsApp, so it's unclear what information the victims shared with "Mia" in private, she says.

SecureWorks in its report says one of the victims appears to have even registered a domain for Mia, and Mia reciprocated. They aren't sure why the domains were registered, but they believe it was on of three possibilities: a gesture of trust; the victim's information was compromised and used for the domain; or the victim actually works with the attackers. "The domains are parked, no malware on them or services set up," Wikoff says. "It's strange, but it gave us a timeline of activity."

That victim is a cybersecurity expert in a large consulting firm with a background in the oil and gas industry, she says. SecureWorks reached out to the security expert to alert him of the scam, but hasn't heard back as of this posting, she says.

Remember 'Robin Sage?'

Mia Ash was reminiscent of the 2010 "Robin Sage" social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat USA. Ryan created an online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter. She purportedly worked for the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton. 

Phony personas are really nothing new in the spying world. John Bambenek, threat systems manager at Fidelis Cybersecurity, says phony personas have been around for a long time in espionage circles as well as in cyber espionage. "But it's not efficient" for the attackers as an MO, he says, nor is it the most sophisticated MO. "But to a certain point, social engineering works," he says.

"They do bulk collection and then figure out how to target [their marks] from there," he says.  

Iranian nation-state hackers in general are becoming more sophisticated since their early days of defacing websites. "They continue to evolve. They're not in the top tier in terms of capabilities," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike.

"We've seen several waves of Shamoon. Last fall and winter, they were able to cause quite a bit of damage," Alperovitch notes.

So far, Iran's nation-state hacking operations have been more about spying in their Western targets. But Alperovitch notes that indeed could change to more destructive attacks in the future. "There's no question that there's a great deal of concern. Tensions over the bill passed on sanctions on Iran [for instance] … cyber is one of the ways they can hit back at us," he says.

Palo Alto Networks meawhile late last week revealed some new details on OilRig's activity: they spotted the gang using a new variant of another Iranian threat group's Trojan called ISMAgent. ISMAgent is a more "limited but flexible" version of the so-called Greenbug attack group's Trojan, according to PAN.

"With the inclusion of ISMAgent within the OilRig toolset, we are beginning to see stronger relationships between the various documented groups operating in the Middle East. This region has proven to be a hot bed of espionage-motivated activity over the last couple of years, and there appear to be no signs of this changing," PAN researchers Robert Falcone and Bryan Lee wrote in a blog post

PAN's team has not, however, seen the fake social media profiles SecureWorks found, the researchers said in response to a Dark Reading inquiry.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/1/2017 | 3:29:15 PM
Re: Social Engineering 101
Oh, considering the human motivation in all of us, celibacy in men might work. LOL
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
8/1/2017 | 3:13:45 PM
First phase forensics findings:

Phony female photographer fools forgetful few founders from fossil fuel field, facilitating fake Facebook friend, faux fellow football fan for foreign financial felonies; forfieting firm fortunes fraudulently.

No SOPA
0%
100%
No SOPA,
User Rank: Ninja
7/31/2017 | 6:18:21 PM
Social Engineering 101
You have to grudgingly give props to anyone who succeeds on such a large scale with an entry point that is social engineering 101.  Sometimes I can't help but just laugh out loud.  For all our automation, our intelligent software and monitoring, for all our training and warnings to not talk to suspicious actors, we still can't keep the human need for intimacy from throwing a huge wrench in the cogs of InfoSec.  From security to spying, why can we still not get this one right?  Please tell me there's a solution to keep the Mia Ashes of the world away from our vulnerable assets...
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.