To Believe or not to Believe : Mia Ash

Have you ever heard about Mia Ash, or worse still, I hope she is not in your friendlist. Mia Ash is supposedly a London-based photographer, around 20 years old, with two art school degrees, a successful career as a photographer, an amateur model, an Arsenal FC fan, social media butterfly and plenty of friends—more than 500 on Facebook, and just as many on LinkedIn. She has a keen interest in tech-savvy men with ties to the oil and gas industry, a huge number of her contacts happen to be Middle Eastern men, and when she posts selfies to her social media pages, they shower her with likes,and shesupposedly wants to learn more about the region where her LinkedIn, Facebook, and Blogger contacts stay. Her relationship status on Facebook: "It's complicated." Well the fun part finishes here. Just for the record, Mia Ash doesn't exist.

Mia Ash is a false online persona or what you call a virtual persona. Created by the hacking group “COBALT GYPSY. This was an extremely well developed persona that had been developed, managed and matured with great care over years.This fake identity was created for thepurpose of carrying out surveillance of intended targets and thereafter establish contacts with employees of target organizations, and over a period of time gain their confidence.This came to light because of the research carried out by the Counter Threat Unit(CTU) at Dell Secure Works. The research report was presented in Black Hat 2017.

COBALT GYPSY

The hacking group Cobalt Gypsy has various aliases such as OilRig, TG-2889 and Twisted Kitten. This group is believed to have ties with the Iranian government and has been targeting telecommunications, government, defense, oil and financial services firms located in the Middle East and North Africa. This is also the same infamous Iran-based hacker team which was behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets, which happened after the destructive Stuxnet attack on the Iranian nuclear facility at Natanz (Kashan). The group has repeatedly used social media, particularly LinkedIn, to identify and interact with employees at targeted organizations, the aim has always been to lure,so that eventually they can drop information-stealing spy malware onto the victim's machine. In this case they used weaponized Excel documents to deliver Remote Access Trojans (RAT) such as PupyRAT (an open source cross platform RAT),which gives an attacker full access to the targeted machine.

Modus Operandi

The hackers started using this fake online persona in April 2016. Around January 13, 2017, "Mia Ash" using her LinkedIn account contacted an individual in one of the targeted organizations, making it appear as a harmless gesture to establish contact with people around the world. This led to exchange of messages over the next few days, regarding their professions, travels and photography. Then in the second fortnight of January, Mia requested the individual to add her as a friend on Facebook and continue the association there, casually saying that she preferred communicating on Facebook. Thereafter the interactions continued through email, WhatsApp, and Facebook. Around mid-February, she sent a Microsoft Excel document (named as a photography survey), to the employee's personal email account and requested the individual to open the email at work, using the corporate email account so that the survey would function properly. The survey contained macros that, once enabled, downloaded PupyRAT.

This particular hacking group has a tendency of contacting the targets over LinkedIn and then casually requesting them to move over to Facebook. Several of the LinkedIn connections matched names of people associated with the Mia Ash Facebook page, which very clearly brings out the above modus operandi of the group.

Over the course of years, the Ash profiles were systematically managed and updated. They attracted a mix of social followers and professional contacts that included both photography enthusiasts and non-photography contacts tied to energy sector jobs. The non-photography endorsers were located in Saudi Arabia, United States, Iraq, Iran, Israel, India(India had a share of around ten of these targets), and Bangladesh and worked for technology, oil/gas, healthcare, aerospace, and consulting organizations. They were mid-level employees in technical (mechanical and computer) or project management roles such as technical support engineer, software developer, and system support. The significance of these job titles is the fact, that people in these positions would have admin / privileged access into the corporate network. Basic protection from security policies as applicable to other users would not be applicable to these users.

The aim is to target and compromise any one individual within the target organization. That individual itself may be of no interest to the hackers, or to be more specific, the initial target may be of no intrinsic value to the hacking group. The initial target is only to be used as a launch pad or a firm base for launching deeper attacks into the target organization. Once the initial target along with his / her computing device has been compromised, the hackers spread laterally into the corporate network of the target organization, in search of high value targets. In addition they also search for other low value targets for hiding purposes, in case their original launch pad gets compromised.

Some of the targets moved their communique with "Mia" to WhatsApp, so it's unclear what information the victims shared with "Mia" in private.

In all, the analysts at CTU have identified 25 fake LinkedIn accounts, which they have further classified into two categories. First are the fully developed profiles (which are called as leaders) and supporting profiles (called as supporters). Profiles of Leaders include educational details, current and previous job details, and vocational qualifications and LinkedIn group memberships. Of the eight Leader profiles identified by CTU researchers, six have more than 500 connections. Profiles for Supporter profiles are less developed than for Leader personas. They all use the same basic template with one simple job description, and they all generally have five connections. The purpose of the Supporter personas appears to be to provide LinkedIn skills endorsements for Leader personas, with the purpose of making the Leader profiles appear genuine. Most of the Supporter accounts identified by CTU researchers have endorsed skills listed on the profiles of the Leaders. Thus, supporter accounts provide the Leader profiles with an established network, which also enhances credibility. Five of the Leader personas claim to be recruitment consultants, which would provide a very genuine reason for contacting targets.

Innovative techniques were followed, such as altering of LinkedIn profiles. Changing personas associated with existing profiles was a clever exploitation of LinkedIn functionality because the new identities inherit the network and endorsements from the previous identity. These attributes immediately make the new profiles appear established and credible, and the change prevents the original personas from being overexposed. There are certain legitimate endorsers for the leader personas. Implying that these are targets of the hacking group.

Original Profile

Analysts have confirmed the fact that the photographs used in the fake profile are of a student and photographer, who most probably resides in Romania. This student had uploaded numerous photographs of her own to a variety of social media sites such as Facebook, Instagram and DeviantArt. She uses the profile name “bittersweetvenom”. Thus, it appears that members of the Cobalt Gypsy group, stole the images from the student’s social media accounts to create various accounts of Mia Ash. The fake online persona was created across WhatsApp, Facebook, LinkedIn, DeviantArt. The background information used to build up the persona was taken from a number of places on the internet.

Precedent Case

Mia Ash was reminiscent of the 2010 "Robin Sage" social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat. Ryan created a fake online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter. As per the fake profile, she supposedly worked with the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton. Thus, we can say that western security experts taught the Iranian hackers all about Digital Honey Traps.

Conclusion

• Primarily, what does the Robin Sage and Mia Ash cases teach us. The ability to exploit other individuals’ level of trust based on gender, occupation, education/credentials, and friends (connections / contacts). 
• Advanced Persistent Threats will go to any level to achieve their aims. The use of the Mia Ash persona demonstrates the imagination and determination that threat actors employ to successfully attack their targets. Creating fake profiles is an old modus operandi for this hacking group, even in 2015, they had created fake LinkedIn profiles to look like job recruiters. This time it started as a phishing campaign, which was not successful, thereafter it was followed up with a targeted campaign to get into the required environment.
• Catfishing / honey trapping / honeypots have been a bane for individuals, society and nations in general since time immemorial. Phony personas are really nothing new in the spying world. Back in the olden days the intelligence outfits had to use real female spies to lure male targets for extracting information. That ploy has not changed at all, only now we have fake female online personas(Digital Honey Traps) to do the job.
• Checking out a user's authenticity prior to accepting social media connection requests can reduce to a large extent threats posed by hackers using fake personas.
• This case reinforces the importance of recurring social engineering training. Organizations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms.
• It is advisable not to get too optimistic about connection requests from unknown persons, or friends of friends whom we don’t personally know. Users should be advised to report inquiries by an unknown third parties about their present employer, business systems, the corporate network, or requests to perform actions such as opening a document or visiting a website.
• It is advisable that organizations disable macros in Microsoft Office products to reduce the threat posed by malware loaded Microsoft Office documents. The disable / enable macros alert should not be taken lightly. Particularly when we have received a document from another PC / contact. In case you vaguely remember the sender or don’t know him at all, please don’t click on the enable macros tab, on top of the document.
• Avoid contact with known fake personas.
• Only connect to profiles belonging to individuals we know and trust. In case we are linking up with people who are not directly known to us, it is advisable to check out from a person who knows the contact directly.
• Adopt anattitude of extra caution when engaging with members of colleagues' or friends' networks that they have not verified outside of LinkedIn.
• When using LinkedIn for checking out employment opportunities, seek confirmation that the individual is legitimate by directly contacting the individual's claimed employer.