Mia Ash and the Cobalt Gypsy Iranian Threat Group

By MDL on August 4, 2017

Cobalt Gypsy, the Iranian threat group believed to be behind the Shamoon and Shamoon2 destructive wiper attacks that rendered 25,000 computers at oil company Saudi Aramco unusable, may be connected to the false online persona “Mia Ash” used in spear phishing campaigns across the Middle East/ North Africa (MENA) region.

“Mia Ash,” a fictional online persona, has been befriending telecommunications, oil/energy, technology, government, and defense workers from Arab states in the MENA region via social media platforms before sending targeted malicious emails aimed at gaining remote access.

The “Mia Ash” persona poses as a photographer wanting to learn more about the Middle East. The persona makes contact with targets, usually via LinkedIn, then encourages the target to move their conversation to Facebook or WhatsApp, perhaps because both Facebook Messenger and WhatsApp are capable of end-to-end encryption that could keep this communication for being intercepted. The Mia Ash persona eventually sends the target a malicious Microsoft Excel file with enabled macros that installs PupyRAT, a remote access trojan that gives the attackers access to the target’s machine.

A report by SecureWorks, an InfoSec Solutions company, reports that “Mia Ash” would ask her targets to open the malicious file “Copy of Photography Survey.xlsm” on their work computers using their work email address “so the survey would function properly.” Obviously the attacker hoped to be able to gather user/administrator network credentials at the target’s workplace.

The Shamoon attacks were so successful, in part, because user credentials had been gathered well in advance of the attack. With the “Mia Ash” social engineering and spear phishing attacks, perhaps we are seeing how the user credentials employed in the Shamoon attacks were originally obtained.

False online personas have been used in social engineering attacks before, but what makes “Mia Ash” significant is that it uses what SecureWorks calls a “fully-developed persona” or “leader persona” with photos, a website, education and employment histories, endorsements, and hundreds of real contacts. The persona remains consistent across multiple social media platforms lending believability to this fictional character.

SecureWorks says “Mia Ash” may be just one of a number of leader personas under the control of one threat group working to gather information from telecommunication and tech workers in Middle East companies. They attributed this specific social engineering activity to Cobalt Gypsy, “a threat group associated with Iranian government-directed cyber operations.” SecureWorks lead researcher, Allison Wikoff, called Cobalt Gypsy “the most active Iranian group we’re aware of.”

The success of this form of social engineering is worrying on the heels of reports that the “email prankster” known as Sinon Reborn, known for fooling well-known public figures in the UK, was recently able to trick Homeland Security Adviser Tom Bossert, former White House Communications Director Anthony Scaramucci, and US Ambassador to Russia-nominee Jon Huntsman Jr. into email exchanges by using webmail accounts created in the name of other White House officials. A nation-state level threat group gaining access to White House networks could result in, at the very least, cyberespionage and the degradation of trust in official White House Communications.

Online communication, especially social media communication, can lend itself to social engineering trickery that leads to compromise. All employees, but especially those with elevated network privileges and public figures, should be trained in safety and privacy on social media, spotting phishing emails, not opening unsolicited email attachments, and recognizing social engineering attempts.

Sources:

Dark Reading, Iranian Hackers Ensnared Targets via Phony Female Photographer

SecureWorks, The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets

SecureWorks, Hacker Group Creates Network of Fake LinkedIn Profiles

HelpNet Security, Hackers impersonate women online to get into target corporate networks

Graham Cluley, Email prankster tricks White House officials

CNN, White House officials tricked by email prankster