A threat group believed to be operating out of Iran has created a network of fake LinkedIn profiles as part of a campaign aimed at individuals in the Middle East and elsewhere, Dell’s SecureWorks Counter Threat Unit reported on Wednesday.
The attackers, dubbed “Threat Group-2889” or “TG-2889,” appear to be the Iranian-sponsored hackers whose activities were documented by endpoint security company Cylance in a December 2014 report focusing on a campaign called “Operation Cleaver.”
The group behind Operation Cleaver has been active since at least 2012 and it has targeted more than 50 companies across 16 countries, including organizations in the military, government, oil and gas, energy and utilities, chemical, transportation, healthcare, education, telecommunications, technology, aerospace, and defense sectors.
Researchers at Dell SecureWorks said they haven’t found any evidence to contradict Cylance’s assessment that the threat actor is at least partly operating out of Iran.
Dell SecureWorks’ investigation focuses on a network of fake LinkedIn profiles that appear to be used to target more than 200 individuals located in countries such as Saudi Arabia, Qatar, the United Arab Emirates, Pakistan, the United States, Sudan, India, Jordan and Kuwait.
“A quarter of the targets work in the telecommunications vertical; Middle Eastern and North African mobile telephony suppliers feature heavily. A focus on these types of targets may indicate that TG-2889 is interested in acquiring data held by these organizations or gaining access to the services they operate. A significant minority of identified targets work for Middle Eastern governments and for defense organizations based in the Middle East and South Asia,” Dell SecureWorks threat intelligence experts said.
Using pictures and information copied from various locations on the Web, the attackers created at least 25 LinkedIn profiles, eight of which are what researchers call “leader personas” whose profiles are well designed and have hundreds of connections. Leader persona profiles include education history, job descriptions, and occasionally even vocational qualifications and LinkedIn group memberships, with some of the information copied from legitimate profiles.
Five of the leader personas analyzed by researchers claim to work for American industrial conglomerate Teledyne Technologies, one claims to work at South Korean industrial conglomerate Doosan, one for US-based aerospace and defense firm Northrop Grumman, and one at a Kuwait-based petrochemical manufacturing company Petrochemical Industries.
The other fake LinkedIn accounts are used as supporting personas, which are less developed and only have a handful of connections. Experts believe that the main purpose of supporting personas is to endorse the leader profiles on LinkedIn in an effort to make them seem more legitimate.
By creating LinkedIn personas that appear to be established and genuine, the attackers can identify and study their victims. Since some of the profiles are made to look like they belong to recruitment consultants, the malicious actors also have a pretext for contacting targeted individuals.
Since TG-2889 likely leverages spear phishing or malicious websites to hack victims, establishing a trust relationship with the target increases their chances of success, Dell SecureWorks explained.
While monitoring the leader profiles, researchers noticed that two of them had been given new identities, with both the photograph and current job being changed.
“Changing personas associated with existing profiles was a clever exploitation of LinkedIn functionality because the new identities inherit the network and endorsements from the previous identity. These attributes immediately make the new personas appear established and credible, and the transition may prevent the original personas from being overexposed,” experts said.
This is not the first time Iranian threat actors have used fake social media profiles in their operations. In May 2014, cyber intelligence company iSIGHT Partners analyzed a campaign in which attackers had used over a dozen fake personas on various social networking websites.
Last month, the security community was warned about a series of fake recruiter profiles on LinkedIn that appeared to be targeting infosec specialists.