Iranian hackers target women involved in human rights and Middle East politics

Iranian hackers target women involved in human rights and Middle East politics

March 9, 2023Ravie LakshmananCyber ​​espionage

Iranian hackers target women involved in human rights and Middle East politics

Iranian state-sponsored actors continue to engage in social engineering campaigns targeting researchers by impersonating a US think tank.

“Specifically, the targets in this case were all women who are actively involved in political affairs and human rights in the Middle East region,” Secureworks’ Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The cybersecurity company attributed the activity to a hacker group it tracks which Cobalt illusionand which is also known under the names APT35, Charming Kitten, ITG18, Phosphorus, TA453 and Yellow Garuda.

The threat actor’s targeting of academics, activists, diplomats, journalists, politicians and researchers has been well documented over the years.

The group is suspected of operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) and has shown a pattern of using false personas to establish contact with individuals of strategic interest to the government.

“It is common for Cobalt Illusion to interact with its targets multiple times across different messaging platforms,” ​​SecureWorks said. “The threat actors first send benign links and documents to build relationships. They then send a malicious link or document to phish credentials for systems that Cobalt Illusion seeks to access.”

The main tactic is to exploit credential harvesting to gain control of victims’ mailboxes, as well as using custom tools such as HYPERSCRAPE (aka EmailDownloader) to steal data from Gmail, Yahoo! and Microsoft Outlook accounts using the stolen passwords.

Another custom malware linked to the group is a C++-based Telegram “grabber” tool that facilitates large-scale data collection from Telegram accounts after obtaining the target’s credentials.

See also  Hackers abuse Microsoft's "Verified Publisher" OAuth apps

The latest activity involves the adversary resigning as an employee of the Atlantic Council, a US-based think tank, and reaching out to political affairs and human rights researchers under the pretense of contributing to a report.


Discover the hidden dangers of third-party SaaS apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.


To make the list convincing, the social media accounts associated with the fake “Sara Shokouhi” persona (@SaShokouhi on Twitter and @sarashokouhii on Instagram) claimed to have a doctorate in Middle Eastern politics.

Also, according to SecureWorks, the profile pictures in these accounts were allegedly taken from an Instagram account belonging to a psychologist and tarot card reader based in Russia.

It is not immediately clear whether the effort resulted in any successful phishing attacks. The Twitter account, created in October 2022, is still active to date, as is the Instagram account.

“Phishing and bulk data collection are the core tactics of Cobalt Illusion,” Rafe Pilling, principal researcher and Iran thematic lead at SecureWorks CTU, said in a statement.

“The group undertakes intelligence gathering, often human-focused intelligence, such as extracting the contents of mailboxes, contact lists, travel plans, relationships, physical location, etc. This information is likely mixed with other sources and used to inform military and security operations by Iran, foreign and domestic .”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *