Home Cybersecurity Iranian Hackers Targeted Deloitte Via A Seriously Convincing Facebook Fake

Iranian Hackers Targeted Deloitte Via A Seriously Convincing Facebook Fake

Get started on your Homeland Security Degree at American Military University.

As America frets over Russians running rampant on Facebook, other adversaries have been exploiting the social network as a way into some of the world’s biggest businesses. An employee at Deloitte, one of the Big Four accounting firms, fell victim to a fake Facebook account in late 2016, Forbes can reveal. And the attacks, believed to have been perpetrated by Iranian government spies, occurred around the same time as a separate hack, recently disclosed by The Guardian, which affected Deloitte data in Microsoft’s Azure cloud-hosting service.

The lovely and disarming “Mia Ash” is a fictional female created by the highly-active hacker crew known as OilRig, which, as Forbes reported in July, cybersecurity firm SecureWorks believes is sponsored by the Iranian regime. In July 2016, Mia’s puppeteers targeted a Deloitte cybersecurity employee, engaging him though the social network in conversations about his job, Forbes learned from sources with direct knowledge of the attack. As the online relationship grew, the employee offered to help his new friend Mia set up a website for her alleged business. Eventually, the entity behind Mia exploited the positive rapport to convince the Deloitte employee to open a malicious document sent by Mia on his work computer. Though it’s not believed that particular malware infected the wider company network, according to the sources, it illustrated the ability of the puppeteers to gain the employee’s trust. Forbes will not reveal the individual’s name here, but he was one of the firm’s cybersecurity staffers assisting clients with their digital defenses, making the attack that much more startling.

“This kind of thing is effective because men can’t help themselves apparently,” said James Lewis, a former U.S. diplomat and cybersecurity expert at the Center for Strategic and International Studies.

A Facebook fraud unravels

The Mia Ash persona was built on the photos and profile information of a real photographer from Romania, Cristina Mattei. With alluring images and active avatars across Facebook, WhatsApp and LinkedIn, Mia was a convincing fraud, described previously by SecureWorks cybersecurity researcher Allison Wikoff as one of the most developed fake personas she’d ever seen. (SecureWorks declined to comment for this article).

Certainly, Mia was convincing enough to gain the internet friendship of an Asia-based cybersecurity professional and, after sending messages from summer last year through to February 2017 when she disappeared from Facebook, to convince him to open a file purportedly containing some of her photos on a work laptop. Fortunately for Deloitte, the malware inside, a tool dubbed PupyRat designed to pilfer credentials for corporate systems, didn’t make it onto the company network, sources said.

Mattei, the Romanian photographer and face of Mia Ash, was terse about her online profiles being raided by Iranian cyber spies. “I don’t see the point in offering feedback [about the profile theft], seeing that stealing photos will not stop for as long as you can save them off the internet,” she told Forbes through a Facebook message. “Other than that, it is a hurtful experience and I wanted to put it behind me. It could have happened to anyone.”

Fake Facebook profile created by Iranian hackers

Mia Ash’s Facebook profile stole photos from real Romanian photographer, Cristina Mattei.

The Mia Ash Facebook-based attack appears to be entirely separate from the attack on Deloitte data hosted on Microsoft’s Azure. That successful attack reportedly focused on the U.S. side of the business, not Asia. According to The Guardian, the hackers may have had access to company systems as far back as October 2016, when they obtained a password that gave them “access to all areas” of Deloitte’s global email server. While the firm stressed only a small number of clients were affected and they experienced ”no disruption,” KrebsOnSecurity later reported that all its administrator accounts and internal email system were compromised.

Deloitte didn’t respond to those claims, nor has it revealed who it believes was behind the Microsoft Azure attack. It’s been tight-lipped since the incident came to light, not responding to requests for comment on the Mia Ash attacks this week.

But the timings are intriguing, as the Iranian hackers were targeting Deloitte at the same time as unknown attackers gained access to the company’s email server. Questions should be asked about why the Deloitte employee was targeted and whether it was because of the entities he worked with rather than his role at the consultancy, said CSIS’ Lewis. The target was a cybersecurity advisor for clients, not for Deloitte’s internal team, sources noted.

“In a couple instances the Iranians have been really clever: they don’t go after the primary target, they go after the secondary… the Deloitte guy might have been interesting only because of who he was connected to,” said Lewis.

That the OilRig crew was looking beyond its normal stomping ground of the Middle East has also given rise to anxieties about Iran’s digital tentacles reaching further across the globe, especially in light of the Trump administration’s tough stance on the regime. “It’s too attractive not to do it. It’s so easy,” Lewis added. “It’s been a steady upward path for them, starting a decade ago. They test on their citizens, they practise every week against Israel.

“They’ve relationships with the Russians, Chinese and North Koreans, and in at least two of those – Russia and North Korea – we know they’ve exchanged tactics tools and procedures for cyber.”

Just recently, Palo Alto Networks researchers linked a host of phishing websites designed to steal passwords to OilRig. The hackers had set up a variety of fake login portals for institutions in Israel, including Tel Aviv University and the Institute of National Security Studies.

Nation states and Facebook fakes

As for Facebook, it’s feeling the heat after repeated reports of Russian operatives using the social network to spread misinformation and influence the 2016 election. In the last week, the company  admitted that 10 million users had seen advertisements paid for by Kremlin-linked money. It’s also planning to employ another 1,000 moderators in an attempt to manually review ads.

When Forbes first reported on Mia Ash’s activity, Facebook security chief Alex Stamos said the social network would be taking more of a manual approach to dealing with fake personas set up with malicious ends in mind. For some, though, it’s too late. They’ve already been catphished.

This article was written by Thomas Fox-Brewster from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.



Online Degrees & Certificates In Cybersecurity

American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.

Request Information

Please complete this form and we’ll contact you with more information about AMU. All fields except phone are required.

Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Ready to apply? Start your application today.

We value your privacy.

By submitting this form, you agree to receive emails, texts, and phone calls and messages from American Public University System, Inc. which includes American Military University (AMU) and American Public University (APU), its affiliates, and representatives. I understand that this consent is not a condition of enrollment or purchase.

You may withdraw your consent at any time. Please refer to our privacy policy, terms, or contact us for more details.