Mia Ash is a 30-year-old British woman with two art school degrees, a successful career as a photographer, and plenty of friends—more than 500 on Facebook, and just as many on LinkedIn. A disproportionate number of those friends happen to be Middle Eastern men, and when she posts coy selfies to Facebook, they shower her with likes. Her intriguing relationship status: “It’s complicated.” No kidding. Mia Ash doesn’t exist.
Instead, she’s a persona, her biography fabricated and her photos stolen from another woman’s online profiles, according to researchers at the security firm SecureWorks. They believe Ash is the elaborate creation of Iranian state-sponsored hackers who have targeted dozens of organizations around the Middle East in a massive, years-long campaign of espionage and possibly even data destruction.
A Phish Called Mia
In February, as SecureWorks helped a Middle Eastern company diagnose an attempted spyware infection, the security analysts found that one of that company’s employees had been communicating with the Ash persona for more than a month. The conversation had begun on LinkedIn, where Ash had approached the staffer with questions about photography. The discussion had moved to Facebook, and the scope broadened to work, photography, and travel.
Eventually, Ash sent the staffer an email with a Microsoft Excel attachment for a photography survey. She asked him to open it on his office network, telling him that it would work best there. After a month of trust-building conversation, he did as he was told. The attachment promptly launched a malicious macro on his computer and attempted to install a piece of malware known as PupyRAT, though the company’s malware defenses prevented the installation.
After digging further into Mia Ash, SecureWorks found that hackers have cultivated the persona as a lure for staffers at target companies for over a year, with the endgame of infecting computers with spyware, and getting an initial foothold into a victim company’s network.
Social engineering, or using human lies and pretenses as a means to lull victims into security slip-ups, is a well-worn page of the hacker playbook. But rarely do hacker groups go to the trouble of building such a long-running, fleshed out persona as Mia Ash, says Allison Wikoff, one of the SecureWorks researchers who led the analysis, which SecureWorks presented at the Black Hat security conference. She points to Ash’s well-populated Facebook, LinkedIn, Blogger, and WhatsApp accounts, as well as two email addresses, as evidence of the hackers’ persistence and planning. “This is one of the most well-built fake personas I’ve seen,” says Wikoff. “It definitely worked, and worked for well over a year.”
Examining Ash’s friends on Facebook and Linkedin, SecureWorks found she had two distinct sets. First, she seems to have befriended prominent photographers to bolster her profile as a bona fide shutterbug. The second group comprised men aged 20 to 40, mostly in Middle Eastern and Asian countries including Saudi Arabia, Iraq, Iran, and Israel, as well as some Americans, who worked as mid-level technicians, software developers, and administrators at tech, oil and gas, aerospace, consulting, and healthcare companies.
‘This is probably like a well-oiled machine.’ – Allison Wikoff, SecureWorks
Examining the would-be target list in Ash’s friend group, SecureWorks linked her with a hacker group known as OilRig or Cobalt Gypsy, widely believed to be working for the Iranian government in a widespread cyberespionage campaign. (According to at least one analysis from McAfee, that group also collaborated on a more destructive campaign to plant data-destroying Shamoon malware on the networks of more than a dozen Saudi Arabian targets, and SecureWorks’ analysis of the group’s methods also matches a description of Shamoon-planting hackers tracked by IBM.)
In late 2016, SecureWorks spotted that group launching a broad phishing campaign that used PupyRat as well. A month later, Mia Ash kicked into action at the company SecureWorks aided. Wikoff suggests that means the Ash persona may be used as a secondary tactic: If a specific company’s staff doesn’t fall for more traditional phishing emails, a persona like Ash approaches a specific target there, initiating a professional conversation over LinkedIn, and then building trust via Facebook or WhatsApp before sending the victim a malware payload via email. Based on the time put into the Ash persona, she believes it was likely used repeatedly against the Iranian hackers’ targets. “This is probably a well-oiled machine,” Wikoff says.
Ash to Ashes
After well over a year online, Ash’s LinkedIn profile mysteriously disappeared earlier this month. SecureWorks alerted Facebook to the persona, and the company removed her profile there, too.
SecureWorks also identified the real-life woman whose photos hackers used to assemble Mia Ash’s profiles. But when WIRED reached out to her she declined to speak on the record, and asked not to be identified. Wikoff points to her case as an example of how publicly posting personal photos can have unexpected, creepy consequences. “If you don’t lock down your social media accounts, they can be used in ways that might not directly harm you, but are nonetheless nefarious,” Wikoff says.
But Mia Ash offers a more serious lesson to possible victims of state-sponsored hackers, Wikoff says: Digital honey traps can be highly sophisticated, with personas that appear to have long histories and convincing personalities. And that attractive new Facebook friend may not actually be into your vacation photos.