- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Tehran Targets Female Activists in Espionage Campaign
Security researchers have uncovered a new Iranian state-backed cyber-espionage campaign aimed at rooting out female human rights activists causing trouble for the regime.
Secureworks fittingly released its analysis of the latest Cobalt Illusion campaign a day after International Women’s Day.
The group is suspected of operating on behalf of various Iranian government entities and the Intelligence Organization of the Islamic Revolutionary Guard Corp (IRGC-IO).
Targets were typically contacted by a fake Twitter user, ‘Sara Shokouhi,’ who spoke to them about an opportunity to contribute to an article for think tank the Atlantic Council.
The threat actors would then try to phish for credentials, perhaps via a malicious link, and/or deploy malware to the target’s machine or device.
“Phishing and bulk data collection are core tactics of Cobalt Illusion. We’ve seen this happen in several guises in recent years. The group undertakes intelligence gathering, often human-focused intelligence, like extracting the contents of mailboxes, contact lists, travel plans, relationships, physical location, etc.,” said Secureworks principal researcher, Rafe Pilling.
“This intel is likely blended with other sources and used to inform military and security operations by Iran; foreign and domestic. Which could include surveillance, arrest and detention, or targeted killing.”
All of those targeted in the campaign were identified as woman actively involved in political affairs and human rights in the Middle East, the report claimed.
The fake @SaShokouhi Twitter account went to extreme lengths to appear sympathetic to the aims of its targets. It apparently tweeted and engaged with posts supportive of the mass Mahsa Amini protests in Iran, including those featuring distressing content such as images of dead children and physical abuse suffered by protesters.
“The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target’s device,” explained Pilling.
“Having a convincing persona is an important part of this tactic. In this instance we were able to confirm that the Sara Shokouhi persona was created using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia.”