As America frets over Russians running rampant on Facebook, other adversaries have been exploiting the social network as a way into some of the world’s biggest businesses. An employee at Deloitte, one of the Big Four accounting firms, fell victim to a fake Facebook account in late 2016, Forbes can reveal. And the attacks, believed to have been perpetrated by Iranian government spies, occurred around the same time as a separate hack, recently disclosed by The Guardian, which affected Deloitte data in Microsoft’s Azure cloud-hosting service.
The lovely and disarming “Mia Ash” is a fictional female created by the highly-active hacker crew known as OilRig, which, as Forbes reported in July, cybersecurity firm SecureWorks believes is sponsored by the Iranian regime. In July 2016, Mia’s puppeteers targeted a Deloitte cybersecurity employee, engaging him though the social network in conversations about his job, Forbes learned from sources with direct knowledge of the attack. As the online relationship grew, the employee offered to help his new friend Mia set up a website for her alleged business. Eventually, the entity behind Mia exploited the positive rapport to convince the Deloitte employee to open a malicious document sent by Mia on his work computer. Though it’s not believed that particular malware infected the wider company network, according to the sources, it illustrated the ability of the puppeteers to gain the employee’s trust. Forbes will not reveal the individual’s name here, but he was one of the firm’s cybersecurity staffers assisting clients with their digital defenses, making the attack that much more startling.
“This kind of thing is effective because men can’t help themselves apparently,” said James Lewis, a former U.S. diplomat and cyber security expert at the Center for Strategic and International Studies.
A Facebook fraud unravels
The Mia Ash persona was built on the photos and profile information of a real photographer from Romania, Cristina Mattei. With alluring images and active avatars across Facebook, WhatsApp and LinkedIn, Mia was a convincing fraud, described previously by SecureWorks cybersecurity researcher Allison Wikoff as one of the most developed fake personas she’d ever seen. (SecureWorks declined to comment for this article).
Certainly, Mia was convincing enough to gain the internet friendship of an Asia-based cybersecurity professional and, after sending messages from summer last year through to February 2017 when she disappeared from Facebook, to convince him to open a file purportedly containing some of her photos on a work laptop. Fortunately for Deloitte, the malware inside, a tool dubbed PupyRat designed to pilfer credentials for corporate systems, didn’t make it onto the company network, sources said.
Mattei, the Romanian photographer and face of Mia Ash, was terse about her online profiles being raided by Iranian cyber spies. “I don’t see the point in offering feedback [about the profile theft], seeing that stealing photos will not stop for as long as you can save them off the internet,” she told Forbes through a Facebook message. “Other than that, it is a hurtful experience and I wanted to put it behind me. It could have happened to anyone.”
The Mia Ash Facebook-based attack appears to be entirely separate from the attack on Deloitte data hosted on Microsoft’s Azure. That successful attack reportedly focused on the U.S. side of the business, not Asia. According to The Guardian, the hackers may have had access to company systems as far back as October 2016, when they obtained a password that gave them “access to all areas” of Deloitte’s global email server. While the firm stressed only a small number of clients were affected and they experienced “no disruption,” KrebsOnSecurity later reported that all its administrator accounts and internal email system were compromised.
Deloitte didn’t respond to those claims, nor has it revealed who it believes was behind the Microsoft Azure attack. It’s been tight-lipped since the incident came to light, not responding to requests for comment on the Mia Ash attacks this week.
But the timings are intriguing, as the Iranian hackers were targeting Deloitte at the same time as unknown attackers gained access to the company’s email server. Questions should be asked about why the Deloitte employee was targeted and whether it was because of the entities he worked with rather than his role at the consultancy, said CSIS’ Lewis. The target was a cybersecurity advisor for clients, not for Deloitte’s internal team, sources noted.
“In a couple instances the Iranians have been really clever: they don’t go after the primary target, they go after the secondary… the Deloitte guy might have been interesting only because of who he was connected to,” said Lewis.
That the OilRig crew was looking beyond its normal stomping ground of the Middle East has also given rise to anxieties about Iran’s digital tentacles reaching further across the globe, especially in light of the Trump administration’s tough stance on the regime. “It’s too attractive not to do it. It’s so easy,” Lewis added. “It’s been a steady upward path for them, starting a decade ago. They test on their citizens, they practise every week against Israel.
“They’ve relationships with the Russians, Chinese and North Koreans, and in at least two of those – Russia and North Korea – we know they’ve exchanged tactics tools and procedures for cyber.”
Just recently, Palo Alto Networks researchers linked a host of phishing websites designed to steal passwords to OilRig. The hackers had set up a variety of fake login portals for institutions in Israel, including Tel Aviv University and the Institute of National Security Studies.
Nation states and Facebook fakes
As for Facebook, it’s feeling the heat after repeated reports of Russian operatives using the social network to spread misinformation and influence the 2016 election. In the last week, the company admitted that 10 million users had seen advertisements paid for by Kremlin-linked money. It’s also planning to employ another 1,000 moderators in an attempt to manually review ads.
When Forbes first reported on Mia Ash’s activity, Facebook security chief Alex Stamos said the social network would be taking more of a manual approach to dealing with fake personas set up with malicious ends in mind. For some, though, it’s too late. They’ve already been catphished.