Mia Ash is young, attractive and popular, with hundreds of social media connections.
She shares your favourite hobbies, so when she adds you, you’re flattered and a little bit excited.
After exchanging messages on LinkedIn, you’re happy to continue the conversation on Facebook and WhatsApp.
MIA ASH IS a 30-year-old British woman with two art school degrees, a successful career as a photographer, and plenty of friends—more than 500 on Facebook, and just as many on LinkedIn. A disproportionate number of those friends happen to be Middle Eastern men, and when she posts coy selfies to Facebook, they shower her with likes. Her intriguing relationship status: “It’s complicated.” No kidding.
Mia Ash doesn’t exist
You’ve been communicating with a mirage, and you’re about to fall into the hands of a team of hackers believed to be acting on behalf of a hostile foreign government.
Online “honey pot” attackers like Mia Ash represent a new front in a global espionage, with hackers targeting strategically important companies through their weakest line of defence: their hapless employees.
That’s according to cyber security expert Allison Wikoff from SecureWorks, whose counter threat unit has been fighting what has been dubbed the Cobalt Gypsy spy campaign.
Mia Ash is a sophisticated fake persona that the unit has identified as an agent of a hacker group called Cobalt Gypsy aka OilRig, which is understood to be backed by the Iranian Government.
With highly detailed social media profiles portraying her as a young English photographer, the group used real images believed to be stolen from an innocent woman in Romania.
The scam targeted mid-level staff at Middle Eastern telecommunication, technology, aerospace and oil and gas companies with access to sensitive parts of their company’s IT operations.
Mia Ash introduced herself as a wedding and portrait photographer reaching out to people around the world, saying she wanted to “learn more about your country”.
One worker fell for Mia Ash’s charm, striking up a friendship that lasted several weeks before the true nature of the situation was revealed when the hackers sent him a malware-infected email disguised as a “photography survey”.
The man, an amateur photographer who connected with the young woman believing they had a shared interest, unsuspectingly opened the attachment.
Ms Wikoff said the aim was to steal login IDs and passwords when the document, once opened, would unleash a type of malware called PupyRAT, giving the hackers access to the organisation’s computer systems.
“They’re really interested in information that aligns with the Iranian government’s objectives,” she told news.com.au.
A Phish Called Mia
In February, as SecureWorks helped a Middle Eastern company diagnose an attempted spyware infection, the security analysts found that one of that company’s employees had been communicating with the Ash persona for more than a month. The conversation had begun on LinkedIn, where Ash had approached the staffer with questions about photography. The discussion had moved to Facebook, and the scope broadened to work, photography, and travel.
Eventually, Ash sent the staffer an email with a Microsoft Excel attachment for a photography survey. She asked him to open it on his office network, telling him that it would work best there. After a month of trust-building conversation, he did as he was told. The attachment promptly launched a malicious macro on his computer and attempted to install a piece of malware known as PupyRAT, though the company’s malware defenses prevented the installation.
After digging further into Mia Ash, SecureWorks found that hackers have cultivated the persona as a lure for staffers at target companies for over a year, with the endgame of infecting computers with spyware, and getting an initial foothold into a victim company’s network.
Social engineering, or using human lies and pretenses as a means to lull victims into security slip-ups, is a well-worn page of the hacker playbook. But rarely do hacker groups go to the trouble of building such a long-running, fleshed out persona as Mia Ash, says Allison Wikoff, one of the SecureWorks researchers who led the analysis, which SecureWorks presented at the Black Hat security conference. She points to Ash’s well-populated Facebook, LinkedIn, Blogger, and WhatsApp accounts, as well as two email addresses, as evidence of the hackers’ persistence and planning. “This is one of the most well-built fake personas I’ve seen,” says Wikoff. “It definitely worked, and worked for well over a year.”
Examining Ash’s friends on Facebook and Linkedin, SecureWorks found she had two distinct sets. First, she seems to have befriended prominent photographers to bolster her profile as a bona fide shutterbug. The second group comprised men aged 20 to 40, mostly in Middle Eastern and Asian countries including Saudi Arabia, Iraq, Iran, and Israel, as well as some Americans, who worked as mid-level technicians, software developers, and administrators at tech, oil and gas, aerospace, consulting, and healthcare companies.
Examining the would-be target list in Ash’s friend group, SecureWorks linked her with a hacker group known as OilRig or Cobalt Gypsy, widely believed to be working for the Iranian government in a widespread cyberespionage campaign. (According to at least one analysis from McAfee, that group also collaborated on a more destructive campaign to plant data-destroying Shamoon malware on the networks of more than a dozen Saudi Arabian targets, and SecureWorks’ analysis of the group’s methods also matches a description of Shamoon-planting hackers tracked by IBM.)
In late 2016, SecureWorks spotted that group launching a broad phishing campaign that used PupyRat as well. A month later, Mia Ash kicked into action at the company SecureWorks aided. Wikoff suggests that means the Ash persona may be used as a secondary tactic: If a specific company’s staff doesn’t fall for more traditional phishing emails, a persona like Ash approaches a specific target there, initiating a professional conversation over LinkedIn, and then building trust via Facebook or WhatsApp before sending the victim a malware payload via email. Based on the time put into the Ash persona, she believes it was likely used repeatedly against the Iranian hackers’ targets. “This is probably a well-oiled machine,” Wikoff says.
Ash to Ashes
After well over a year online, Ash’s LinkedIn profile mysteriously disappeared earlier this month. SecureWorks alerted Facebook to the persona, and the company removed her profile there, too.
SecureWorks also identified the real-life woman whose photos hackers used to assemble Mia Ash’s profiles. But when WIRED reached out to her she declined to speak on the record, and asked not to be identified. Wikoff points to her case as an example of how publicly posting personal photos can have unexpected, creepy consequences. “If you don’t lock down your social media accounts, they can be used in ways that might not directly harm you, but are nonetheless nefarious,” Wikoff says.
But Mia Ash offers a more serious lesson to possible victims of state-sponsored hackers, Wikoff says: Digital honey traps can be highly sophisticated, with personas that appear to have long histories and convincing personalities. And that attractive new Facebook friend may not actually be into your vacation photos.