Attacks/Breaches

7/31/2017
05:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Iranian Hackers Ensnared Targets via Phony Female Photographer

US, Indian, Saudi Arabian, Israeli, Iraqi IT, security, executives in oil/gas and aerospace swept up in elaborate social media ruse used for cyber espionage operations.

She's a London-based young professional photographer, an Arsenal FC fan, and she's interested in learning more about the region where her LinkedIn, Facebook, and Blogger connections live. Her relationship status on Facebook: "It's complicated."

Meet "Mia Ash," a phony but apparently very convincing online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets. The highly detailed and creative social engineering ruse employs "Mia" as the lure in order to ultimately drop information-stealing spy malware onto the victim's machine.

Researchers at SecureWorks last week at Black Hat USA in Las Vegas published a report on their findings of this attack campaign, which began in January of this year, first as a pure phishing campaign that soon evolved with Mia Ash's phony LinkedIn, Facebook, and blog accounts to further social-engineer the targets and earn their trust.

The so-called Oil Rig, aka Cobalt Gypsy, hacking team hit petroleum giant Saudi Aramco in 2012 with a massive attack that damaged or wiped the hard drives of some 25,000 of the oil company's computers. The same attackers came back with fresh Shamoon attacks hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

"This is the most active Iranian group we're aware of," says Allison Wikoff, lead researcher on the so-called Mia Ash research by SecureWorks. "We see infrastructure on a weekly basis and new activity all the time" by them, she says.

SecureWorks believes that Mia Ash may be just one of several personas used by the group to gather intel on their targets, mainly energy firms and technology companies in the Middle East. The company has been tracking OilRig/Cobalt Gypsy since 2015, when they first spotted them creating a network of phony LinkedIn profiles

While the researchers weren't able to determine the specific information the attackers were going after via the Mia persona attacks, they spotted them attempting to obtain the user's network credentials.

Once Mia and her connections had established their social media relationship, the attackers sent a phishing email to the target. That included a rigged attachment with enabled Macros to install PupyRAT, which gives an attacker full access to the targeted machine.

Wikoff says her team believes this was just the early stages of the full attack. The first stage is to get the targeted individual's credentials via PupyRAT, which would give the attackers a foothold in the target's organization. It's unclear if Shamoon data-wiping would be next in the attack chain, but it's a "plausible hypothesis," she says.

Some of the targets moved their communique with "Mia" to WhatsApp, so it's unclear what information the victims shared with "Mia" in private, she says.

SecureWorks in its report says one of the victims appears to have even registered a domain for Mia, and Mia reciprocated. They aren't sure why the domains were registered, but they believe it was on of three possibilities: a gesture of trust; the victim's information was compromised and used for the domain; or the victim actually works with the attackers. "The domains are parked, no malware on them or services set up," Wikoff says. "It's strange, but it gave us a timeline of activity."

That victim is a cybersecurity expert in a large consulting firm with a background in the oil and gas industry, she says. SecureWorks reached out to the security expert to alert him of the scam, but hasn't heard back as of this posting, she says.

Remember 'Robin Sage?'

Mia Ash was reminiscent of the 2010 "Robin Sage" social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat USA. Ryan created an online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter. She purportedly worked for the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton. 

Phony personas are really nothing new in the spying world. John Bambenek, threat systems manager at Fidelis Cybersecurity, says phony personas have been around for a long time in espionage circles as well as in cyber espionage. "But it's not efficient" for the attackers as an MO, he says, nor is it the most sophisticated MO. "But to a certain point, social engineering works," he says.

"They do bulk collection and then figure out how to target [their marks] from there," he says.  

Iranian nation-state hackers in general are becoming more sophisticated since their early days of defacing websites. "They continue to evolve. They're not in the top tier in terms of capabilities," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike.

"We've seen several waves of Shamoon. Last fall and winter, they were able to cause quite a bit of damage," Alperovitch notes.

So far, Iran's nation-state hacking operations have been more about spying in their Western targets. But Alperovitch notes that indeed could change to more destructive attacks in the future. "There's no question that there's a great deal of concern. Tensions over the bill passed on sanctions on Iran [for instance] … cyber is one of the ways they can hit back at us," he says.

Palo Alto Networks meawhile late last week revealed some new details on OilRig's activity: they spotted the gang using a new variant of another Iranian threat group's Trojan called ISMAgent. ISMAgent is a more "limited but flexible" version of the so-called Greenbug attack group's Trojan, according to PAN.

"With the inclusion of ISMAgent within the OilRig toolset, we are beginning to see stronger relationships between the various documented groups operating in the Middle East. This region has proven to be a hot bed of espionage-motivated activity over the last couple of years, and there appear to be no signs of this changing," PAN researchers Robert Falcone and Bryan Lee wrote in a blog post

PAN's team has not, however, seen the fake social media profiles SecureWorks found, the researchers said in response to a Dark Reading inquiry.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Apprentice
8/1/2017 | 3:29:15 PM
Re: Social Engineering 101
Oh, considering the human motivation in all of us, celibacy in men might work. LOL
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
8/1/2017 | 3:13:45 PM
First phase forensics findings:

Phony female photographer fools forgetful few founders from fossil fuel field, facilitating fake Facebook friend, faux fellow football fan for foreign financial felonies; forfieting firm fortunes fraudulently.

Christian Bryant
0%
100%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 6:18:21 PM
Social Engineering 101
You have to grudgingly give props to anyone who succeeds on such a large scale with an entry point that is social engineering 101.  Sometimes I can't help but just laugh out loud.  For all our automation, our intelligent software and monitoring, for all our training and warnings to not talk to suspicious actors, we still can't keep the human need for intimacy from throwing a huge wrench in the cogs of InfoSec.  From security to spying, why can we still not get this one right?  Please tell me there's a solution to keep the Mia Ashes of the world away from our vulnerable assets...
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.