State-sponsored cyber spies are stepping up the espionage game with increasingly intricate social engineering scams targeting company employees that could play out for months, even years, a security firm has discovered.
If her Facebook and LinkedIn profiles are to be believed, Mia Ash is a pretty 30 year old photographer from Staffordshire, England with a master’s degree from the University of London. She has been on social media for some time, with plenty of friends and regularly updates her profiles, including the odd selfie. She can be contacted using any of her available email address and she even has WhatsApp.
Nothing about Mia or her online profiles particularly stands out as odd, or suspicious.
Nevertheless, she isn’t real. She’s nothing more than an online persona that does not exist outside of her accounts. The digital successor to Andy Dufresne’s Randall Stevens. Her information is pure fabrication and her photos stolen from someone else. A figment of the imagination of someone you don’t know.
Not only that, but security firm SecureWorks have linked those who created Mia and her online persona to a hacking group called OilRig who they believe are working on behalf of the Iranian government in a widespread, long term espionage campaign aimed at befriending employees of high profile companies in order to infiltrate their respective company networks.
Earlier this year, SecureWorks had helped a Middle Eastern company attempt to discover the source of an attempted spyware infection. During their investigation, the security firm had discovered that one of the company employees had been friends with Ms. Mia Ash for over a month. That friendship had begun on LinkedIn over innocent photography related questions, but soon expanded over other social networks and topics.
The company employee was soon asked by Mia to open a photography related questionnaire sent over email to his work computer, in the form of a Microsoft Excel document. When opened, that document launched malicious script onto the employee’s computer which subsequently attempted to download and install malware onto the company network. Luckily the security software on the network prevented the infection from taking hold.
Analysis of the social networks belonging to Mia Ash turned up a number of different friends, mostly from the Middle East, as well as a number of employees of other companies including many from the United States. Mia Ash had been busy befriending people, it would seem.
The case highlights that hackers in the espionage game are more than capable of playing the so-called “long con”, exploiting what will always be the weak point in a company’s cyber defenses – the employees themselves – by developing friendships and building trust over time with the long term objective of infiltrating their networks. In this example it was malware, but hackers can also glean sensitive information from employee social media profiles as well as by simply asking seemingly innocuous questions.
The accounts belonging to Mia Ash have now been removed, but Mia is almost certainly only one of a high number of fake online personas, out there in the wild right now with the sole aim of befriending employees of specifically selected companies, with the intention of exploiting those friendships in the name of the espionage game.
That should be enough to keep any company director up at night.