Female human rights activists are being targeted by a state-backed threat group posing as a fellow campaigner to steal their personal data, possibly with the intention of passing it on to the Islamist regime in Iran.
Counter-threat group Secureworks said it had evidence to suggest Cobalt Illusion, a partisan cyber unit with established links to the fundamentalist state, was behind the latest campaign, which it said exclusively targeted women who campaign over human rights abuses in the Middle East.
It said the case first came to light in February on the social media platform Twitter, where someone purporting to be an activist by the name of Sara Shokouhi was spotted reaching out to genuine campaigners against the oppression of women in the religious region.
Secureworks described Cobalt Illusion’s suspected phishing campaign as “cynical” in its use of distressing imagery of state repression of protestors in Iran to lure victims into thinking they were dealing with a ‘fellow traveler’ in the struggle for human rights.
Posting under the Twitter handle of @SaShokouhi, the bogus activist put up “content such as images of dead children, physical abuse suffered by protestors, anti-Iranian government commentary, and anti-Iranian symbolism.”
In light of the reported torture and killing of hundreds of dissidents in Iran following the death of Mahsa Amini in police custody, such imagery was all the more likely to provoke an emotional reaction from victims - the one thing phishing crooks of any stamp rely on most to succeed at social engineering.
Not all as it seems
An investigation by Secureworks revealed that the flagship Twitter picture purporting to be of Shokouhi had in fact been stolen from the Instagram account of a Russian national who had nothing to do with activism.
“The individual in these photos is not Sara Shokouhi,” it said. “The image belongs to a psychologist and tarot-card reader based in Russia. The threat group responsible for the fake Sara Shokouhi persona stole these images [...] and used them as the basis for the SaShokouhi Twitter account.”
Further claims by ‘Shokouhi’ to be working with Holly Dagres, a senior researcher at NATO-friendly US thinktank the Atlantic Council, were subsequently debunked on Twitter on February 23 by the real Dagres, who tweeted: “It is a lie, such a person does not work with me.”
A parallel fake account for the fictitious Shokouhi on Instagram implied that she held a PhD in “Middle East Polotics [sic],” in a further, albeit inept, attempt to persuade activists befriended by the shell digital persona that they were dealing with somebody legitimate.
Seeing through the Illusion
Secureworks said there were “multiple hallmarks” spotted in the campaign to suggest it was conducted at least in part by Cobalt Illusion, which also goes by the aliases Charming Kitten, Phosphorous, and Yellow Garuda.
The analyst describes the myriad-named group as “suspected of operating on behalf of the Intelligence Organization of the Islamic Revolutionary Guard Corp (IRGC-IO) in Iran.”
“Cobalt Illusion targets a wide range of individuals and is particularly interested in academics, journalists, human rights defenders, political activists, intergovernmental organizations, and NGOs that focus on Iran,” it added. “The threat actors create a fake persona and then use it to contact a target with a request for an interview, assistance on a report, or to discuss a shared interest.”
After developing a rapport with the target over a short period of time, Cobalt Illusion “then attempts to phish credentials or deploy malware to the target's computer or mobile device.”
It added: “Data stolen from victims' accounts could be used to inform intelligence priorities for the IRGC-IO and other Cobalt Illusion customers.”
More from Cybernews:
Subscribe to our newsletter