Iranian state-sponsored actors continue to target researchers by impersonating US think tanks.
SecureWorks Counter Threat Unit (CTU) stated in a report that the targets were all women active in political affairs and human rights in the Middle East region.
Cybersecurity researchers attributed the activity to Cobalt Illusion, a hacking group also known as APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. Academics, activists, diplomats, journalists, politicians, and researchers have all been targeted by threat actors.
The group is suspected of acting on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). In addition, it has a history of establishing contact with individuals of strategic interest to the government through bogus personas.
It is common for Cobalt Illusion to interact with its targets multiple times across different messaging platforms. First, the threat actors send harmless links and documents to establish rapport. They then send a malicious link or document to phish credentials for Cobalt Illusion-targeted systems.
They use credential harvesting to access victims’ mailboxes and use custom tools like HYPERSCRAPE (aka EmailDownloader) to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts using stolen passwords.
A C++-based Telegram “grabber” tool linked to the group facilitates large-scale data harvesting from Telegram accounts after obtaining the target’s credentials.
The most recent activity involves:
- The adversary is posing as an employee of the Atlantic Council.
- A think tank based in the United States.
- Contacting political affairs and human rights researchers under the guise of contributing to a report.
To add credibility to the ruse, the social media accounts associated with the phony “Sara Shokouhi” persona (@SaShokouhi on Twitter and @sarashokouhii on Instagram) claimed to have a Ph.D. in Middle Eastern politics.
Furthermore, according to SecureWorks, the profile photos in these accounts were taken from an Instagram account belonging to a psychologist and tarot card reader based in Russia.
It’s unclear whether the effort resulted in any successful phishing attacks. However, the Twitter account, created in October 2022, is still active, as is the Instagram account.
Phishing and bulk data collection are core Cobalt Illusion tactics, according to Rafe Pilling, principal researcher and Iran thematic lead at SecureWorks CTU.
The group undertakes intelligence gathering, often human focused intelligence, like extracting the contents of mailboxes, contact lists, travel plans, relationships, physical location, etc. This intel is likely blended with other sources and used to inform military and security operations by Iran, foreign and domestic.
The group collects intelligence, often human-focused intelligence, such as the contents of mailboxes, contact lists, travel plans, relationships, physical location, and so on.
This intelligence is most likely combined with information from other sources and used to inform Iran’s foreign and domestic military and security operations. Pilling concluded that this could include surveillance, arrest, detention, or even targeted killing.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.