05:35 PM
Connect Directly

Iranian Hackers Ensnared Targets via Phony Female Photographer

US, Indian, Saudi Arabian, Israeli, Iraqi IT, security, executives in oil/gas and aerospace swept up in elaborate social media ruse used for cyber espionage operations.

She's a London-based young professional photographer, an Arsenal FC fan, and she's interested in learning more about the region where her LinkedIn, Facebook, and Blogger connections live. Her relationship status on Facebook: "It's complicated."

Meet "Mia Ash," a phony but apparently very convincing online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets. The highly detailed and creative social engineering ruse employs "Mia" as the lure in order to ultimately drop information-stealing spy malware onto the victim's machine.

Researchers at SecureWorks last week at Black Hat USA in Las Vegas published a report on their findings of this attack campaign, which began in January of this year, first as a pure phishing campaign that soon evolved with Mia Ash's phony LinkedIn, Facebook, and blog accounts to further social-engineer the targets and earn their trust.

The so-called Oil Rig, aka Cobalt Gypsy, hacking team hit petroleum giant Saudi Aramco in 2012 with a massive attack that damaged or wiped the hard drives of some 25,000 of the oil company's computers. The same attackers came back with fresh Shamoon attacks hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

"This is the most active Iranian group we're aware of," says Allison Wikoff, lead researcher on the so-called Mia Ash research by SecureWorks. "We see infrastructure on a weekly basis and new activity all the time" by them, she says.

SecureWorks believes that Mia Ash may be just one of several personas used by the group to gather intel on their targets, mainly energy firms and technology companies in the Middle East. The company has been tracking OilRig/Cobalt Gypsy since 2015, when they first spotted them creating a network of phony LinkedIn profiles

While the researchers weren't able to determine the specific information the attackers were going after via the Mia persona attacks, they spotted them attempting to obtain the user's network credentials.

Once Mia and her connections had established their social media relationship, the attackers sent a phishing email to the target. That included a rigged attachment with enabled Macros to install PupyRAT, which gives an attacker full access to the targeted machine.

Wikoff says her team believes this was just the early stages of the full attack. The first stage is to get the targeted individual's credentials via PupyRAT, which would give the attackers a foothold in the target's organization. It's unclear if Shamoon data-wiping would be next in the attack chain, but it's a "plausible hypothesis," she says.

Some of the targets moved their communique with "Mia" to WhatsApp, so it's unclear what information the victims shared with "Mia" in private, she says.

SecureWorks in its report says one of the victims appears to have even registered a domain for Mia, and Mia reciprocated. They aren't sure why the domains were registered, but they believe it was on of three possibilities: a gesture of trust; the victim's information was compromised and used for the domain; or the victim actually works with the attackers. "The domains are parked, no malware on them or services set up," Wikoff says. "It's strange, but it gave us a timeline of activity."

That victim is a cybersecurity expert in a large consulting firm with a background in the oil and gas industry, she says. SecureWorks reached out to the security expert to alert him of the scam, but hasn't heard back as of this posting, she says.

Remember 'Robin Sage?'

Mia Ash was reminiscent of the 2010 "Robin Sage" social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat USA. Ryan created an online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter. She purportedly worked for the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton. 

Phony personas are really nothing new in the spying world. John Bambenek, threat systems manager at Fidelis Cybersecurity, says phony personas have been around for a long time in espionage circles as well as in cyber espionage. "But it's not efficient" for the attackers as an MO, he says, nor is it the most sophisticated MO. "But to a certain point, social engineering works," he says.

"They do bulk collection and then figure out how to target [their marks] from there," he says.  

Iranian nation-state hackers in general are becoming more sophisticated since their early days of defacing websites. "They continue to evolve. They're not in the top tier in terms of capabilities," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike.

"We've seen several waves of Shamoon. Last fall and winter, they were able to cause quite a bit of damage," Alperovitch notes.

So far, Iran's nation-state hacking operations have been more about spying in their Western targets. But Alperovitch notes that indeed could change to more destructive attacks in the future. "There's no question that there's a great deal of concern. Tensions over the bill passed on sanctions on Iran [for instance] … cyber is one of the ways they can hit back at us," he says.

Palo Alto Networks meawhile late last week revealed some new details on OilRig's activity: they spotted the gang using a new variant of another Iranian threat group's Trojan called ISMAgent. ISMAgent is a more "limited but flexible" version of the so-called Greenbug attack group's Trojan, according to PAN.

"With the inclusion of ISMAgent within the OilRig toolset, we are beginning to see stronger relationships between the various documented groups operating in the Middle East. This region has proven to be a hot bed of espionage-motivated activity over the last couple of years, and there appear to be no signs of this changing," PAN researchers Robert Falcone and Bryan Lee wrote in a blog post

PAN's team has not, however, seen the fake social media profiles SecureWorks found, the researchers said in response to a Dark Reading inquiry.

Related Content:

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/1/2017 | 3:29:15 PM
Re: Social Engineering 101
Oh, considering the human motivation in all of us, celibacy in men might work. LOL
User Rank: Strategist
8/1/2017 | 3:13:45 PM
First phase forensics findings:

Phony female photographer fools forgetful few founders from fossil fuel field, facilitating fake Facebook friend, faux fellow football fan for foreign financial felonies; forfieting firm fortunes fraudulently.

User Rank: Ninja
7/31/2017 | 6:18:21 PM
Social Engineering 101
You have to grudgingly give props to anyone who succeeds on such a large scale with an entry point that is social engineering 101.  Sometimes I can't help but just laugh out loud.  For all our automation, our intelligent software and monitoring, for all our training and warnings to not talk to suspicious actors, we still can't keep the human need for intimacy from throwing a huge wrench in the cogs of InfoSec.  From security to spying, why can we still not get this one right?  Please tell me there's a solution to keep the Mia Ashes of the world away from our vulnerable assets...
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Box Mistakes Leave Enterprise Data Exposed
Dark Reading Staff 3/12/2019
How the Best DevSecOps Teams Make Risk Visible to Developers
Ericka Chickowski, Contributing Writer, Dark Reading,  3/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.