Iranian hackers lured Deloitte’s cyber warrior using fake female profile

Iranian hackers lured Deloitte’s cyber warrior using fake female profile

Iranian hackers lured Deloitte's cyber warrior using fake female profile

A cyber security expert working for Deloitte was tempted by Iranian hackers to download malicious credential-stealing attachments to his PC last year.

Deloitte was saved from embarrassment after malware injected by Iranian hackers inside an employee’s PC didn’t get to breach corporate networks.

Earlier this month, it came to light that Deloitte, one of the world’s leading accountancy firms, was hit by a destructive cyber-attack that compromised emails sent and received by 244,000 Deloitte employees as well as ‘usernames, passwords, IP addresses, architectural diagrams for businesses and health information’.

It now turns out that the damage suffered by Deloitte could have been much worse had a parallel hacking operation orchestrated by an Iranian hacker group last year succeeded.

First revealed by Forbes, an Iranian hacker group known as OilRig managed to win the confidence of a Deloitte employee in July last year by using fake social media profiles of an attractive woman to interact with him.

The hackers used pictures of a Romanian photographer to create a fake Facebook profile under a fictitious name ‘Mia Ash’. Using the fictitious profile, they contacted a Deloitte employee who was, in fact, looking after cyber security for Deloitte and was engaged in advising the firm’s clients about their digital defences.

Having engaged the employee in personal conversations for months, the hacker group finally succeeded in making him download an attachment to his PC which they included in a phishing email. Before sending the email, they had succeeded in making him believe that Mia Ash was trying to set up a website for her business and wanted his help.

The malicious attachment, in fact, hid a malware named PupyRat which could steal credentials from corporate accounts. Even though the affected employee downloaded the malware to his work computer, Deloitte was saved from further damage as the malware did not get to infect the firm’s corporate network.

OilRig, the Iranian hacker group in question, is, according to Forbes, ‘one of the most active hacking organizations to be sponsored by the Iranian government’. Also known as COBALT GYPSY, it has previously been accused of orchestrating phishing attacks on various governments and their embassies, as well as on a number of private companies in the United States.

According to cyber security firm SecureWorks, OilRig has tried to inject PupyRAT, which they term an open-source cross-platform remote access trojan, in systems owned by entities in the Middle East and North Africa, especially Saudi Arabian organizations.

‘CTU™ researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash.

‘Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims. The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016,’ the firm said.

The firm also said that Mia Ash is likely one of many personas managed by OilRig to gain unauthorized access to targeted computer networks via social engineering. To protect their data and their employees from such malicious actors, the researchers suggest that organisations must provide employees with clear social media guidance and instructions for reporting potential phishing messages.

At the same time, such guidance should also include recommendations for reporting inquiries by an unknown third party about an employer, business systems, or the corporate network, or requests to perform actions such as opening a document or visiting a website.

Even if employees download Microsoft Word documents containing malware from emails sent by third parties, they can reduce the infection by disabling Macros in Microsoft Office products, they concluded.

Copyright Lyonsdown Limited 2021

Top Articles

NHS Test & Trace Consolidates Cyber Security

NHS Test and Trace has teamed up with cybersecurity company Risk Ledger to proactively manage its supply chain cybersecurity risks.

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Ransomware attacks and the future role of the CISO - teissTalk

On 18 May, teissTalk host Jenny Radcliffe was joined by a panel of four cybersecurity experts in a wide-ranging discussion that covered government actions, ransomware attacks and the future of…

Related Articles

[s2Member-Login login_redirect=”” /]