On the face of it, the Twitter profile of a person calling herself Sara Shokouhi looks like any other earnest Middle East-focused researcher. Her tweets are a litany of retweets of various voices protesting the Iranian government. Her bio claims she’s completed a PhD from Northwestern State University of Louisiana. At the top of her profile, the person calling herself Sara Shokouhi peers into the camera with her hands folded over a stack of books.
In reality, Shokouhi is a persona manufactured by Iranian-linked hackers to target a number of different Iran-focused researchers, according to a report released Thursday by Secureworks. The woman in her photos is in fact a Russia-based psychologist and tarot card reader.
In recent weeks, the hackers — who are believed to be part of a group tracked by Secureworks as COBALT ILLUSION but also known as Charming Kitten, APT42 or Phosphorus — have used the Shokouhi persona to reach out to legitimate researchers asking if they were interested in contributing to an upcoming Atlantic Council report together with a researcher who possesses a genuine Atlantic Council affiliation.
The genuine Atlantic Council researcher, Holly Dagres, tweeted on Feb. 23 that the claims that she was working together with Shokouhi were “a lie” and that she was “sure this is some kind of phishing.” The next day, Nariman Gharib, a U.K.-based Iranian opposition activist and independent cyber espionage investigator, warned his 13,100 subscribers on Telegram about the account. Shortly after that, the Computer Emergency Response Team in Farsi — a group of security researchers focused on cybersecurity threats related to Iran — issued another warning:
It’s not clear if this particular persona’s efforts resulted in any successful phishing attacks. The Twitter account, created in October 2022, remains active. An Instagram account associated with the name is unavailable.
To build credibility with the researchers it aims to target, the persona has in recent weeks tweeted a variety of messages that align with ongoing anti-government in Iran. “To appear sympathetic to the protestors’ interests and demands, the account owner has posted cynical content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism,” Secureworks researchers write.
The incident isn’t Dagres first run-in with Charming Kitten. In a 2020 Washington Post op-ed, she described a “relentless and sophisticated” effort by the same Iranian hackers to spearphish her.
According to Secureworks, the hacking group is suspected of operating on behalf of the Intelligence Organization of the Islamic Revolutionary Guard Corps. The cybersecurity firm Proofpoint reported in December that the group had quietly added “outlier” targets to its portfolio over the last two years, including U.S. politicians, medical researchers and even a realtor involved in the sale of multiple homes near the headquarters of U.S. Central Command in Tampa, Fla.
The Computer Emergency Response Team in Farsi published a report in September 2022 detailing similar spear phishing campaigns by the same hacking group. “Charming Kitten actors have targeted individuals, academics, journalists, activists, think tankers, institutes, organizations, military and government sectors in the United States, European, and Middle Eastern countries since as early as 2014,” the report notes.
As part of their operations, the hackers use fictitious personas or pose as real people using compromised email or social media accounts to build rapport with targets before sending them malicious links to documents or online meeting sites. The CERTFA report notes that the hacking group has previously impersonated at least one Atlantic Council nonresident fellow, Hagar Hajjar.
The Atlantic Council declined to comment.
Twitter did not return a request for comment. Owner Elon Musk’s deep layoffs at the company have severely impacted the company’s ability to respond to issues of trolling and state-backed disinformation, as the BBC reported this week.