Iranian APT Targets Female Activists With Mahsa Amini Protest Lures

A well-known Iranian threat group, Cobalt Illusion, has been linked to a spear-phishing campaign that is using the protests surrounding the death of Mahsa Amini in Iran as a lure.

Amini was a 22-year-old Iranian woman who was allegedly beaten to death by Iranian police for not wearing her hijab in accordance with government regulations. Her death set off a series of protests, particularly by women, who used them to publicly defy the same rules for which Amini was arrested.

Researchers from Secureworks identified the campaign, which targets such female protestors, political activists, and human rights researchers using a fake Twitter account. Someone using the name Sara Shokouhi, with a Twitter handle @SaShokouhi, reaches out to victims purportedly on behalf of US think tank Atlantic Council. In reality, Sara is a creation of the Cobalt Illusion advanced persistent threat (APT), aka Charming Kitten, APT42, Phosphorous, TA453, and Yellow Garuda.

"The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target's device," said Secureworks CTU Rafe Pilling, principal researcher and Iran thematic lead, in a press statement. "Having a convincing persona is an important part of this tactic."

A cluster of activity reported on Twitter Feb. 24 spurred investigation into possible malicious cyber activity, with a number of women actively involved in Middle East political affairs and human rights reporting contact from the individual, researchers revealed in a blog post published today. What they discovered is that the @SaShokouhi Twitter account, in operation since October, has been tweeting or engaging in posts supportive of the Mahsa Amini protest in Iran to appear "sympathetic to protesters' interests and demands and create an illusion of shared interests," the Secureworks Counter Threat Unit (CTU) research team wrote in the post.

Finding Common Ground

Cobalt Illusion appears to have used the protests as a way to find common ground with targets, the researchers said. Included in some of the posts made by @SaShokouhi were "cynical use of distressing content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism," the researchers wrote.

The researchers ultimately found that attackers created the Sara Shokouhi persona using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia, Pilling said. The APT also set up a fake Instagram account using the photos, @sarashokouhii.

The tactics used in the campaign are typical of the Cobalt Illusion APT, which is associated with Iran's Revolutionary Guard Corps (IRC) and has been active since about 2014.

"Phishing and bulk data collection are core tactics of Cobalt Illusion," Pilling said. "We've seen this happen in several guises in recent years."

Indeed, the group is known for using social media platforms to target academics, journalists, human rights defenders, political activists, intergovernmental organizations (IGOs), and nongovernmental organizations (NGOs) that focus on Iran. Their modus operandi is to set up trusted relationships through these platforms and then use phishing campaigns to steal credentials for systems they wish to access for cyber-espionage purposes, the researchers said.

Cobalt Illusion uses the information stolen through this activity in various ways, including to inform Iranian military and security operations of activity by persons of interest, which not only could lead to their surveillance, but even their arrest, detention, or targeted killing, Pilling said.

Impersonating a Think Tank

In the recent campaign observed by Secureworks, the SaShokouhi persona courted victims by claiming to work with Holly Dagres, a senior fellow at the Atlantic Council. In a tweet — a screenshot of which researchers included in their post — Dagres herself denied working with Shokouhi, indicating that the persona is not legitimate.

The link to Atlantic Council also is a giveaway that Cobalt Illusion is involved, the researchers said. That's because in previous activity confirmed by the Computer Emergency Response Team in Farsi (CERTFA) in September, the APT impersonated an Atlantic Council employee, they said. CERTFA is comprised of cybersecurity experts in Iran's digital security space.

"In that campaign, the group attempted to engage targets in video calls and delivered phishing links via the chat function at an appropriate point in the conversation," CTU researchers wrote.

CERTFA Lab has published a set of phishing indicators related to the campaign, which align with past Cobalt Illusion activity. Researchers recommended that organizations that could be targeted use available controls to review the IP addresses associated with the campaign and restrict access to them, being wary of the likelihood of their containing malicious content before opening them in a browser.

As always, when it comes to phishing, organizations should use industry-proven and reliable email-scanning technology to delete malicious messages before they reach employees, as well as train employees how to spot hallmarks of phishing activity to avoid engaging and thus risking compromise of sensitive data and systems, the researchers said.