05:35 PM
Connect Directly

Iranian Hackers Ensnared Targets via Phony Female Photographer

US, Indian, Saudi Arabian, Israeli, Iraqi IT, security, executives in oil/gas and aerospace swept up in elaborate social media ruse used for cyber espionage operations.

She's a London-based young professional photographer, an Arsenal FC fan, and she's interested in learning more about the region where her LinkedIn, Facebook, and Blogger connections live. Her relationship status on Facebook: "It's complicated."

Meet "Mia Ash," a phony but apparently very convincing online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets. The highly detailed and creative social engineering ruse employs "Mia" as the lure in order to ultimately drop information-stealing spy malware onto the victim's machine.

Researchers at SecureWorks last week at Black Hat USA in Las Vegas published a report on their findings of this attack campaign, which began in January of this year, first as a pure phishing campaign that soon evolved with Mia Ash's phony LinkedIn, Facebook, and blog accounts to further social-engineer the targets and earn their trust.

The so-called Oil Rig, aka Cobalt Gypsy, hacking team hit petroleum giant Saudi Aramco in 2012 with a massive attack that damaged or wiped the hard drives of some 25,000 of the oil company's computers. The same attackers came back with fresh Shamoon attacks hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

"This is the most active Iranian group we're aware of," says Allison Wikoff, lead researcher on the so-called Mia Ash research by SecureWorks. "We see infrastructure on a weekly basis and new activity all the time" by them, she says.

SecureWorks believes that Mia Ash may be just one of several personas used by the group to gather intel on their targets, mainly energy firms and technology companies in the Middle East. The company has been tracking OilRig/Cobalt Gypsy since 2015, when they first spotted them creating a network of phony LinkedIn profiles

While the researchers weren't able to determine the specific information the attackers were going after via the Mia persona attacks, they spotted them attempting to obtain the user's network credentials.

Once Mia and her connections had established their social media relationship, the attackers sent a phishing email to the target. That included a rigged attachment with enabled Macros to install PupyRAT, which gives an attacker full access to the targeted machine.

Wikoff says her team believes this was just the early stages of the full attack. The first stage is to get the targeted individual's credentials via PupyRAT, which would give the attackers a foothold in the target's organization. It's unclear if Shamoon data-wiping would be next in the attack chain, but it's a "plausible hypothesis," she says.

Some of the targets moved their communique with "Mia" to WhatsApp, so it's unclear what information the victims shared with "Mia" in private, she says.

SecureWorks in its report says one of the victims appears to have even registered a domain for Mia, and Mia reciprocated. They aren't sure why the domains were registered, but they believe it was on of three possibilities: a gesture of trust; the victim's information was compromised and used for the domain; or the victim actually works with the attackers. "The domains are parked, no malware on them or services set up," Wikoff says. "It's strange, but it gave us a timeline of activity."

That victim is a cybersecurity expert in a large consulting firm with a background in the oil and gas industry, she says. SecureWorks reached out to the security expert to alert him of the scam, but hasn't heard back as of this posting, she says.

Remember 'Robin Sage?'

Mia Ash was reminiscent of the 2010 "Robin Sage" social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat USA. Ryan created an online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter. She purportedly worked for the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton. 

Phony personas are really nothing new in the spying world. John Bambenek, threat systems manager at Fidelis Cybersecurity, says phony personas have been around for a long time in espionage circles as well as in cyber espionage. "But it's not efficient" for the attackers as an MO, he says, nor is it the most sophisticated MO. "But to a certain point, social engineering works," he says.

"They do bulk collection and then figure out how to target [their marks] from there," he says.  

Iranian nation-state hackers in general are becoming more sophisticated since their early days of defacing websites. "They continue to evolve. They're not in the top tier in terms of capabilities," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike.

"We've seen several waves of Shamoon. Last fall and winter, they were able to cause quite a bit of damage," Alperovitch notes.

So far, Iran's nation-state hacking operations have been more about spying in their Western targets. But Alperovitch notes that indeed could change to more destructive attacks in the future. "There's no question that there's a great deal of concern. Tensions over the bill passed on sanctions on Iran [for instance] … cyber is one of the ways they can hit back at us," he says.

Palo Alto Networks meawhile late last week revealed some new details on OilRig's activity: they spotted the gang using a new variant of another Iranian threat group's Trojan called ISMAgent. ISMAgent is a more "limited but flexible" version of the so-called Greenbug attack group's Trojan, according to PAN.

"With the inclusion of ISMAgent within the OilRig toolset, we are beginning to see stronger relationships between the various documented groups operating in the Middle East. This region has proven to be a hot bed of espionage-motivated activity over the last couple of years, and there appear to be no signs of this changing," PAN researchers Robert Falcone and Bryan Lee wrote in a blog post

PAN's team has not, however, seen the fake social media profiles SecureWorks found, the researchers said in response to a Dark Reading inquiry.

Related Content:

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/1/2017 | 3:29:15 PM
Re: Social Engineering 101
Oh, considering the human motivation in all of us, celibacy in men might work. LOL
User Rank: Strategist
8/1/2017 | 3:13:45 PM
First phase forensics findings:

Phony female photographer fools forgetful few founders from fossil fuel field, facilitating fake Facebook friend, faux fellow football fan for foreign financial felonies; forfieting firm fortunes fraudulently.

User Rank: Ninja
7/31/2017 | 6:18:21 PM
Social Engineering 101
You have to grudgingly give props to anyone who succeeds on such a large scale with an entry point that is social engineering 101.  Sometimes I can't help but just laugh out loud.  For all our automation, our intelligent software and monitoring, for all our training and warnings to not talk to suspicious actors, we still can't keep the human need for intimacy from throwing a huge wrench in the cogs of InfoSec.  From security to spying, why can we still not get this one right?  Please tell me there's a solution to keep the Mia Ashes of the world away from our vulnerable assets...
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.