- The Washington Times - Friday, October 9, 2015

Iranian hackers are suspected of operating a network of bogus LinkedIn accounts that security researchers believe is part of a campaign targeting employees of corporations in the Middle East.

By creating phony profiles containing fabricated job histories and endorsements from other concocted accounts, researchers at Dell said this week that a group of hackers, likely acting on behalf of Iran, attempted to collect intelligence from legitimate LinkedIn users employed in the Arabian and African telecommunications and defense industries.

Twenty-five fake LinkedIn accounts have been identified by researchers working for the company’s SecureWorks Counter Threat Unit, including those of supposed recruitment consultants with hundreds of connections apiece, Dell said on Wednesday.

“CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering,” Dell said in the latest report, referring to a tactic in which sensitive data becomes compromised when an individual reveals information to an attacker, often under false pretenses.

Dell has named the actors “Threat Group-2889” and said it’s likely the same organization dubbed “Operation Cleaver” in a report released last year by Cylance, a security firm that linked the group to Iran and claimed it was working to undermine the security of over 50 companies across 15 industries in the region, possibly as retaliation for the U.S.-led Stuxnet campaign.

“Creating a network of seemingly genuine and established LinkedIn personas helps TG-2889 identify and research potential victims. The threat actors can establish a relationship with targets by contacting them directly, or by contacting one of the target’s connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target’s LinkedIn network,” Dell said.

“The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas.”

According to the findings published by Cylance in December, the “Operation Cleaver” hackers used social engineering to trick targets into installing malware that would allow data to then be stolen from infected computers.

Cylance’s report had linked the group to attacks across the world, but Dell’s CTU team said the LinkedIn campaign seems to largely target account holders in the Middle East and northern Africa, a quarter of which work in telecommunications.

“Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical,” Dell said.

Last month, Director of National Intelligence James Clapper told a congressional committee that Iran uses its cyber program to carry out “asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence.” He went on to blame Iranian hackers for cyberattacks against American banks in 2012 and 2013, as well as an assault last year on the Las Vegas Sands casino company.

Sign up for Daily Newsletters

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide