A cyber security expert working for Deloitte was tempted by Iranian hackers to download malicious credential-stealing attachments to his PC last year.
Deloitte was saved from embarrassment after malware injected by Iranian hackers inside an employee’s PC didn’t get to breach corporate networks.
Earlier this month, it came to light that Deloitte, one of the world’s leading accountancy firms, was hit by a destructive cyber-attack that compromised emails sent and received by 244,000 Deloitte employees as well as ‘usernames, passwords, IP addresses, architectural diagrams for businesses and health information’.
It now turns out that the damage suffered by Deloitte could have been much worse had a parallel hacking operation orchestrated by an Iranian hacker group last year succeeded.
First revealed by Forbes, an Iranian hacker group known as OilRig managed to win the confidence of a Deloitte employee in July last year by using fake social media profiles of an attractive woman to interact with him.
The hackers used pictures of a Romanian photographer to create a fake Facebook profile under a fictitious name ‘Mia Ash’. Using the fictitious profile, they contacted a Deloitte employee who was, in fact, looking after cyber security for Deloitte and was engaged in advising the firm’s clients about their digital defences.
Having engaged the employee in personal conversations for months, the hacker group finally succeeded in making him download an attachment to his PC which they included in a phishing email. Before sending the email, they had succeeded in making him believe that Mia Ash was trying to set up a website for her business and wanted his help.
The malicious attachment, in fact, hid a malware named PupyRat which could steal credentials from corporate accounts. Even though the affected employee downloaded the malware to his work computer, Deloitte was saved from further damage as the malware did not get to infect the firm’s corporate network.
OilRig, the Iranian hacker group in question, is, according to Forbes, ‘one of the most active hacking organizations to be sponsored by the Iranian government’. Also known as COBALT GYPSY, it has previously been accused of orchestrating phishing attacks on various governments and their embassies, as well as on a number of private companies in the United States.
According to cyber security firm SecureWorks, OilRig has tried to inject PupyRAT, which they term an open-source cross-platform remote access trojan, in systems owned by entities in the Middle East and North Africa, especially Saudi Arabian organizations.
‘CTU™ researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash.
‘Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims. The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016,’ the firm said.
The firm also said that Mia Ash is likely one of many personas managed by OilRig to gain unauthorized access to targeted computer networks via social engineering. To protect their data and their employees from such malicious actors, the researchers suggest that organisations must provide employees with clear social media guidance and instructions for reporting potential phishing messages.
At the same time, such guidance should also include recommendations for reporting inquiries by an unknown third party about an employer, business systems, or the corporate network, or requests to perform actions such as opening a document or visiting a website.
Even if employees download Microsoft Word documents containing malware from emails sent by third parties, they can reduce the infection by disabling Macros in Microsoft Office products, they concluded.