Iranian state-sponsored threat group impersonates US Think Tank
Female political affairs and human rights researchers focused on Iran have been targeted by a spear phishing campaign. Analysis from Secureworks's Counter Threat Unit (CTU) has identified the work as that of COBALT ILLUSION. The threat group is suspected to be operating on behalf of the Intelligence Organisation of the Islamic Revolutionary Guard Corp (IRGC-IO) in Iran. They may potentially work on behalf of other Iranian government intelligence clients also.
The targets were contacted on Twitter by an individual named Sara Shokouhi and the account @SaShokouhi. The CTU investigated a cluster of activity on the 24th of February that shared similarities with past COBALT ILLUSION activity. The account spoke to them about contributing to an Atlantic Council (US Think Tank) report.
Notably, the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region.
"The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target's device. Having a convincing persona is an important part of this tactic," says Rafe Pilling, Principal Researcher and Iran Thematic Lead, Secureworks CTU.
"In this instance we were able to confirm that the Sara Shokouhi persona was created using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia."
COBALT ILLUSION's main objective is the targeting of academics, journalists, human rights defenders, political activists, intergovernmental organisations (IGOs), and non-governmental organisations (NGOs) that focus on Iran.
It interacts with targets over different messaging platforms, first sending benign links and documents, then sending a malicious link or document to phish credentials for systems that it seeks to access.
With this access, the group gathers data and intelligence, which is used to drive the agenda of Iranian government groups.
The @SaShokouhi Twitter account has been operating since October 2022.
The account has shared content over time to ensure that it appears sympathetic to the protestors' interests and demands and create an illusion of shared interests, including cynical use of distressing content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism.
"Phishing and bulk data collection are core tactics of COBALT ILLUSION. We've seen this happen in several guises in recent years. The group undertakes intelligence gathering, often human focused intelligence, like extracting the contents of mailboxes, contact lists, travel plans, relationships and physical location," adds Pilling.
"This intel is likely blended with other sources and used to inform military and security operations by Iran; foreign and domestic. Which could include surveillance, arrest and detention, or targeted killing."