Tehran Targets Female Activists in Espionage Campaign
Security researchers have uncovered a new Iranian state-backed cyber-espionage campaign aimed at rooting out female human rights activists causing trouble for the regime.
Secureworks fittingly released its analysis of the latest Cobalt Illusion campaign a day after International Women’s Day.
The group is suspected of operating on behalf of various Iranian government entities and the Intelligence Organization of the Islamic Revolutionary Guard Corp (IRGC-IO).
Targets were typically contacted by a fake Twitter user, ‘Sara Shokouhi,’ who spoke to them about an opportunity to contribute to an article for think tank the Atlantic Council.
The threat actors would then try to phish for credentials, perhaps via a malicious link, and/or deploy malware to the target’s machine or device.
“Phishing and bulk data collection are core tactics of Cobalt Illusion. We’ve seen this happen in several guises in recent years. The group undertakes intelligence gathering, often human-focused intelligence, like extracting the contents of mailboxes, contact lists, travel plans, relationships, physical location, etc.,” said Secureworks principal researcher, Rafe Pilling.
“This intel is likely blended with other sources and used to inform military and security operations by Iran; foreign and domestic. Which could include surveillance, arrest and detention, or targeted killing.”
All of those targeted in the campaign were identified as woman actively involved in political affairs and human rights in the Middle East, the report claimed.
The fake @SaShokouhi Twitter account went to extreme lengths to appear sympathetic to the aims of its targets. It apparently tweeted and engaged with posts supportive of the mass Mahsa Amini protests in Iran, including those featuring distressing content such as images of dead children and physical abuse suffered by protesters.
“The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target’s device,” explained Pilling.
“Having a convincing persona is an important part of this tactic. In this instance we were able to confirm that the Sara Shokouhi persona was created using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia.”