Secureworks has published its latest analysis from its Counter Threat Unit (CTU). The research identifies a spear phishing campaign, targeting female political affairs and human rights researchers focused on Iran, as the work of state-sponsored threat group, COBALT ILLUSION.
This threat group is suspected of operating on behalf of the Intelligence Organisation of the Islamic Revolutionary Guard Corp (IRGC-IO) in Iran as well as potentially other Iranian government intelligence clients.
The CTU investigated a cluster of activity reported on Twitter on 24 February that shared common traits of past COBALT ILLUSION activity.
A number of people involved in research on human rights and political affairs in Iran reported suspicious interactions from the same Twitter account.
The targets were contacted by an individual using the name Sara Shokouhi and the @SaShokouhi, who spoke to them about contributing to an Atlantic Council, a US Think Tank, report.
Notably the targets in this instance were all woman who are actively involved in political affairs and human rights in the Middle East region.
The MO of COBALT ILLUSION is the targeting of academics, journalists, human rights defenders, political activists, intergovernmental organisations (IGOs), and non-governmental organisations (NGOs) that focus on Iran.
They interact with targets over different messaging platforms, first sending benign links and documents then sending a malicious link or document to phish credentials for systems that COBALT ILLUSION seeks to access.
With this access the group gathers data and intelligence which is used to drive the agenda of Iranian government groups.
The @SaShokouhi account has been operating since October 2022. Tweeting or engaging in posts supportive of the Mahsa Amini protests in Iran.
The account has shared content over time to ensure that it appears sympathetic to the protestors’ interests and demands and create an illusion of shared interests, including cynical use of distressing content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism.
“The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target’s device.
Having a convincing persona is an important part of this tactic.
In this instance we were able to confirm that the Sara Shokouhi persona was created using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia,” said Rafe Pilling, Principal Researcher and Iran Thematic Lead, Secureworks CTU.
“Phishing and bulk data collection are core tactics of COBALT ILLUSION. We’ve seen this happen in several guises in recent years.
The group undertakes intelligence gathering, often human focused intelligence, like extracting the contents of mailboxes, contact lists, travel plans, relationships, physical location etc.
This intel is likely blended with other sources and used to inform military and security operations by Iran; foreign and domestic. Which could include surveillance, arrest and detention, or targeted killing,” concluded Pilling.
Since at least 2014, Secureworks CTU has tracked COBALT ILLUSION targeting multiple individuals with fake social media personas and phishing campaigns.