Who is Mia Ash?
That was the question security analysts at Dell SecureWorks found themselves pondering earlier this year while investigating a flurry of phishing attacks against targets in the Middle East. Analysts believed a sophisticated advanced persistent threat (APT) group was behind the attack, for two reasons. First, the emails contained PupyRAT, a cross-platform remote access Trojan that was first discovered in 2015 and had been used by an Iranian threat actor group Dell refers to as “Cobalt Gypsy” (also known as Threat Group 2889 or “OilRig”). And second, the email addresses used in the attacks weren’t spoofed.
“Many of the phishing emails were coming from legitimate addresses at other companies, which led us to believe those companies had been compromised,” Allison Wikoff, intelligence analyst at Dell SecureWorks, told SearchSecurity.
The email addresses used by the attackers belonged to Saudi Arabian IT supplier National Technology Group and Egyptian IT services firm ITWorx. But as sophisticated as the phishing attacks were, the targeted companies — which included energy, telecommunications, and financial services firms, as well as government agencies in the EMEA region — were largely successful in repelling the attacks and preventing the spread of PupyRAT in their environments.
But after the unsuccessful phishing attacks, Dell SecureWorks’ Counter Threat Unit (CTU) observed something else that alarmed them. Instead of another wave of phishing emails, CTU tracked a complex social media attack that indicated a resourceful, patient and knowledgeable nation-state threat actor.
Who is Mia Ash?
On Jan. 13, after the phishing attacks had ended, an employee at one of the companies targeted by Cobalt Gypsy received a message via LinkedIn from Mia Ash, a London-based photographer in her mid-20s, who said she was reaching out to various people as part of a global exercise. The employee, who SecureWorks researchers refer to anonymously as “Victim B,” connected to the photographer’s LinkedIn profile. To Victim B or the casual observer, Ash’s profile seemed legitimate; it contained a detailed work history and had more than 500 connections to professionals in the photography field, as well as individuals in the same regions and industries as Victim B.
Allison Wikoffintelligence analyst, Dell SecureWorks
After about a week of exchanged messages about photography and travel, Ash requested that Victim B add her as a friend on Facebook so the two could continue their conversation on that platform. According to SecureWorks’ new report, Victim B instead moved the correspondence to WhatsApp, a messaging service owned by Facebook, as well as email. Then on Feb. 12, Ash sent an email to Victim B’s personal email account with a Microsoft Excel file that was purportedly a photography survey. Ash requested that Victim B open the file at work in his corporate environment so that the file could run properly.
Victim B honored the request and opened the Excel on his company workstation; the Excel file contained macros that downloaded the same PupyRAT that Cobalt Gypsy used in the barrage of phishing attacks several weeks earlier. “It was the same organization that was hit before, within a month, and that was a big red flag,” Wikoff said.
Luckily, Victim B’s company antimalware defenses blocked the PupyRAT download. But the incident alarmed the company; Dell SecureWorks was asked to investigate the matter, and the CTU team soon discovered that “Mia Ash” wasn’t a professional photographer — in fact, she likely didn’t exist at all — and that another person was targeted long before Victim B.
Behind the online persona
When CTU researchers started digging into the Mia Ash online persona, they discovered more red flags. While Ash’s LinkedIn profile was populated with connections to legitimate professionals, half of the connections bore striking similarities: all male individuals, between their early 20s and 40s, who work in midlevel positions as software developers, engineers and IT administrators. In addition, these connections worked at various oil and gas, financial services and aerospace companies in countries such as Saudi Arabia, India and Israel — all of which had been targeted by the Iranian APT group Cobalt Gypsy.
“We saw a good cross section of LinkedIn connections — half of them were what looked like legitimate photographers and photography professionals, and the other half appeared to be potential targets,” Wikoff said.
This wasn’t the first time threat actors used fake social media accounts for malicious purposes, but this was one of the most complex efforts the researchers had ever seen. The CTU team discovered Mia Ash had been active long before January and that Victim B wasn’t actually the first target to fall prey to this complex social media attack. The CTU team discovered a Blogger website called “Mia’s Photography” that had been created in April 2016. They also found that two other domains apparently belonging to Ash were registered in June and September of last year using a combination of Ash’s information and that of a third party, whom CTU refers to as “Victim A.”
It’s unclear why the domains were registered — they don’t contain malware or any malicious operations — or why Victim A participated. Wikoff said there are a number of possibilities; it’s likely that either Victim A registered both domains as a friendly or romantic gesture to Ash, believing she was real, or that Victim A registered the first domain as a gift for Ash and then the attackers behind the persona registered the second on behalf of Victim A to reciprocate the gesture.
Whatever the case, it appears Victim A was used as a sort of “patient zero” from whom the attackers could establish other social media connections. Wikoff said SecureWorks made attempts to contact Victim A, who like other Mia Ash targets had worked in energy and aerospace companies in the Middle East/Asia region, but so far has not heard back from him. The ironic part is that Victim A is currently an information security manager for a large consulting company – and even he was apparently fooled by this online persona.
There was more to Mia Ash than just the LinkedIn profile and Blogger site; the persona’s Facebook account was populated with personal details (her relationship status, for example, was listed as “It’s complicated”), posts about photography and images of herself, as well as her own professional photos. However, the images were stolen from the social media accounts of a Romanian photographer (Dell SecureWorks did not disclose the woman’s identity in order to protect her privacy).
“At first pass, it looks like a legitimate Facebook profile,” Wikoff said. “The attackers spent a lot of time and effort building this persona, and they knew how to avoid detection.”
For example, Wikoff said, the threat actors rotated or flipped many of the images stolen from the Romanian woman so the pictures would not show up in a reverse image search. The attackers also kept the social media accounts active with fresh postings and content to make them appear authentic and to lure potential targets like Victim A to interact with them; in fact, Victim A interacted with Mia Ash’s Facebook page as recently as March.
Online personas as social media attacks
The CTU team determined with a high confidence level that Mia Ash was a fake online persona created by threat actors to befriend employees at targeted organizations and lure those individuals into executing malware in their corporate environments. The CTU team also believes with “moderate confidence” (according to the scale used by the U.S. Office of the Director of National Intelligence) that Mia Ash was created and managed by the Cobalt Gypsy APT group.
The Mia Ash LinkedIn account disappeared before the CTU team could contact LinkedIn; the team alerted Facebook, which removed the Mia Ash profile. The CTU team wasn’t able to determine what Cobalt Gypsy’s ultimate goal was with this social media attack; they only know the threat actors were attempting to harvest midlevel network credentials with the PupyRAT malware.
While the motive for Mia Ash campaign is still a mystery, Wikoff said it was clear the APT group had done its homework on both the organizations it was targeting, as well as what was required to build and maintain a convincing online persona. In addition, the threat actors specifically targeted employees they knew had the desired network credentials and would likely respond to and engage the Mia Ash persona.
This isn’t the first time Cobalt Gypsy has used social media attacks; in 2015, SecureWorks reported the APT group used 25 fake LinkedIn accounts in a social engineering scheme. In that case, the attackers created profiles of employment recruits for major companies like Teledyne and Northrop Grumman and used them as malicious honeypots or “honey traps.” Once victims made contact with the fake profiles, attackers would lure them into filling out fraudulent employment applications.
The Mia Ash campaign demonstrates the evolution of such social media attacks. Instead of just composing a single LinkedIn profile, the attackers expanded their online footprint with other social media accounts. And the larger the online presence, Wikoff said, the more convincing the persona becomes.
“Cobalt Gypsy’s continued social media use reinforces the importance of recurring social engineering training,” the SecureWorks report states. “Organizations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms.”
But Wikoff said awareness training isn’t enough to stop advanced social engineering attacks like the Mia Ash campaign. “You can train people with security awareness, but someone is always going to click,” she said. “And the attackers know this.”
In the case of Victim A, the campaign would have been successful if not for antimalware defenses that prevented PupyRAT (which, it should be noted, was a known malware signature) from downloading. But other organizations might not be as lucky, especially if these attacks use new malware types with no known signatures.
In addition, social media services offer an enormous opportunity for threat actors. Wikoff said attacks can easily set up accounts for LinkedIn, Facebook, Twitter and other services, free of charge, and use them for malicious purposes without running afoul of the sites’ terms of service. While the Mia Ash profiles for LinkedIn and Facebook were removed after the fact, Wikoff said it’s difficult for social media services to spot APT activity like the Mia Ash campaign before a user is victimized.
SecureWorks believes that Cobalt Gypsy has more online personas actively engaged in malicious activity, but finding them before they compromise their potential targets will be a challenge.
“It shows how much bigger the threat landscape has gotten,” Wikoff said. “It’s a case study on persistent threat actors and the effort they will go to in order to achieve their goals.”