Iranian Hackers Launch Virtual Honeypot Scheme

Mia Ash is an attractive 29-year-old freelance photographer living in London who listens to indie music and adores social media.

She’s a bit of a hipster, having studied at Goldsmiths, University of London, and previously worked at the Clapham Picturehouse, and she is in the market for romance.

Ms Ash, who hails from Great Wyrley in Staffordshire, often sports a sexy bob rather like Audrey Tautou’s in the film Amélie.

She doesn’t go for creative professionals but has a thing for older men in senior roles in the energy, IT and aerospace industries. The trouble is, she doesn’t exist.

In reality, hers is a detailed fake persona, a honeytrap conceived to steal confidential information.

The researchers who uncovered the scheme believe that she is the creation of hackers linked to Iran, and an illustration of the sophistication of “social engineering” in cyber-espionage.

The scheme successfully lured senior figures in sensitive industries in the US, Israel, India and Saudi Arabia to reveal confidential data.

Mia also planted snooping software on their companies’ computer networks to harvest data before the sting unravelled in February.

That month a Middle Eastern company called on SecureWorks, a US cybersecurity firm, to investigate an attempted spyware infection.

The analysts soon discovered that an employee with an interest in photography had been communicating with a British “admirer” for more than a month.

The staffer had been flattered when Mia approached him on LinkedIn with questions about their mutual passion. Soon they were friends on Facebook, where they flirted and chatted frankly about their work and hobbies.

Her accounts on Facebook, Instagram, LinkedIn and Blogger showed that she was friends with prominent photographers, so was clearly the real deal.

And her relationship status was “it’s complicated” — signalling availability. All in all, it felt like the beginning of something special.

One day she asked if her special friend could do her a favour. She needed feedback for a photography survey. It was simply a case of completing an Excel spreadsheet.

He would have to complete it on his office computer otherwise the technology would sometimes play up. Such a faff, she admitted, but she would be so grateful.

And he fell for it hook, line and sinker. Once he clicked, the attachment promptly tried to install malware on to the computer, which would enable hackers to infiltrate the network.

It was only thanks to the company’s security software that the attempted incursion was blocked.

The investigation revealed that Mia Ash’s persona had been crafted for almost a year, and her handlers had spent months befriending real photographers online to give the trap greater credibility.

The numerous photos posted of Ms Ash were lifted from the social media accounts of a Romanian student and blogger and her CV details and regular status updates were influenced by genuine LinkedIn profiles of creative professionals.

Similarities in tools and methods lead the team to believe that Mia was created by the Cobalt Gypsy hacking group. This has sought to steal other industrial secrets and is believed to be backed by Iran because its targeting is in line with the country’s strategic, political and economic interests.

The group has also been linked to cyberattacks that have taken down thousands of computers in Saudi Arabian companies and state agencies.

Honey traps are one of the oldest tricks in espionage and the Cold War is often regarded as the heyday of the practice. More recently, spy chiefs have warned of Chinese honeytraps targeting British officials at the latest G20 summit.

Documents leaked three years ago by a former contractor of the National Security Agency in the US indicate that British security services also regard the tactic as “a great option”.

Six months after the IDF exposed Hamas’s Facebook catfishing operation, it turns out that the Iranians are also working a similar scheme to obtain secret information from Israeli companies operating in sensitive fields.

Mia Ash is a 29-year-old independent photographer and an attractive woman living in London who loves listening to indie music and “surfing on social media.” She’s been studying at the University of London and is a bit of a hipster—and she’s looking for love. Oddly enough, she seems to be attracted mainly to older men in senior positions in the energy, aviation and information technology industries.

There is only one problem—Mia Ash doesn’t exist. In fact, her profile is fake, designed to steal secret information.

The investigators who uncovered the plot believe Mia was created by hackers linked to Iran.

According to media reports, the scheme was partially successful and senior executives in sensitive industries in Israel, the United States, India and Saudi Arabia may have exposed confidential information to the same fake profile.

Mia also installed spyware on the computers of the companies from which it gathered information before it was discovered last February.

In the same month, a Middle East company whose name has not been revealed was approached by the US security company SecureWorks to investigate the espionage attempt.

An unnamed employee was flattered when Mia approached him on LinkedIn with questions related to photography—a passion they share. Within a short time they became friends on Facebook, where they corresponded and talked about work and hobbies.

Mia’s Facebook, Instagram, LinkedIn and Blogger accounts have shown that many of her friends are photographers and that her relationship status is defined as “It’s Complicated.”

One day, she asked her new friend if he could do her a favor. She asked him for feedback on a photograph, which included downloading and filling out an Excel sheet. She claimed that this should be done on his work computer, otherwise technological problems would arise.

The employee swallowed the bait and as soon as he downloaded the files, he introduced spyware into the system.

Fortunately, the company’s cyber security detected this.

The investigation found that Mia’s profile had been created a year ago, and that those responsible for it had forged contacts with real photographers over the course of months to give the fictional character credibility. Mia’s photos were taken from the profile of a Romanian student.

An Australian newspaper reported that investigators believe the profile was created by the “Cobalt Gypsy” hacker group, which is believed to be backed by Iran.

The same group was linked to cyber attacks in the past that compromised thousands of computers in Saudi Arabia and cyber attacks on Israeli companies.

This is, of course, not the first case of a fictitious Facebook profile created for espionage purposes.

Six months ago, the IDF said that Hamas had stepped up its cyber espionage activity aimed at IDF soldiers in order to gather intelligence about the army’s operations and its deployment on the Gaza border.

Hamas operatives would pose as attractive, young Israeli women by assuming their identities and making contact with soldiers, mainly through Facebook. Following contact with soldiers, the Hamas operatives would attempt to engage in an intimate virtual relationship and convince soldiers to download an “application” that would allow for video chatting.

The “application” was a Trojan horse, which gave Hamas total control over the device and allowed the terrorist organization to activate the camera and microphone, access contacts, videos and photos, and even Whatsapp conversations and emails—all without the soldier being aware.

Moreover, Hamas also managed to delete the application from the devices, while simultaneously installing more sophisticated monitoring and control applications without leaving a trace.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply