The Counter Threat Unit (CTU), the Dell SecureWorks research team, uncovered an initiative by an Iran-based threat group it dubbed Threat Group 2889, to create a network of fake LinkedIn profiles for “obtaining confidential information they can use for cyber espionage purposes.”
The team said the intent of the group was to use what researchers called “convincing profiles” in a self-referenced network to zero in on victims through social engineering. The “extensive” network included fake personas of “recruiters” from Northrup Grumman, Teledyne and other international companies as well as 204 legitimate LinkedIn accounts, the bulk of which belong to company employees in the U.S., Europe, the Middle East, South Asia and North Africa.
CTU Senior Researcher Tom Finney told SCMagazine.com in a Wednesday email correspondence that the team was “not surprised about the use of LinkedIn for this kind of activity,” noting that “the exact activity LinkedIn facilitates, professional networking , is vulnerable to misuse by those wanting to form trust relationships for nefarious reasons.”
He called the scheme, “the electronic equivalent of the spy, portraying a harmless employee, showing up at a regular business networking function and making lots of connections with the other guests.”
But Finney said, “What was surprising was the reuse of established fake LinkedIn accounts, by giving them a totally new persona, whilst maintaining its connections and network, which we thought was rather innovative.”
The elaborate ruse was discovered by the CTU as it tracked TG-2889, which, based on the use of certain domains, the Dell researchers believe to be the same group that Cylance refers to as Operation Cleaver, and that the LinkedIn scheme “is the initial stage of the Op Cleaver's fake résumé submitter malware operation,” according to release.
Cylance had noted that the Operation Cleaver group operated, at least in part, out of Iran, citing many domains registered in Iran, infrastructure registered in Iran to theTarh Andishan corporation, whose name in Farsi means “invention” or “innovations” and netblocks and ASNs that are also registered to Iran. Cylance had also said that hacker tools used by Operation Cleaver were traced back to Iran and Iranian provider Netafraz.com hosts part of the group's infrastructure.
“CTU has not uncovered any intelligence that contradicts this assessment by Cylance,” the release said, noting that, in fact, the team found additional evidence to support the contention that the group is operating from Iran, including that a handful of the fake LinkedIn personas purportedly worked for the same companies used in Op Cleaver's fake malware resume submitter malware initiative. And many of the legitimate LinkedIn profiles that were likely targets of TG-2889 were located in Arab states in the Mideast and North Africa.
“When reviewing Cylance's Op Cleaver report, in conjunction with iSIGHT's Newscaster (both Iranian threat groups and we think are likely the same group) we wondered whether the same MO of using social media for targeting described in Newscaster had been employed by during the activity described in the OP Cleaver report,” said Finney.
The 25 fake LinkedIn profiles discovered by Dell SecureWorkers fall into two groups – eight leaders, which are fully developed personas and 17 supporters – which the CTU researchers TG-2889 put considerable time and effort into developing. Six of the eight leaders have 500 connections while one has 275 and another only 46.
The CTU was able to uncover the fake leader profiles after noticing that one profile photo is on multiple websites, “including adult sites, and is linked to multiple identities.” The summary on one profile is “identical to that of [a] legitimate LinkedIn profile” and the employment history of the same profile “is copied from a sample resume downloaded from a recruitment website.” Yet another is a copy from genuine job advertisements listed by Teledyne, ExxonMobil and a Malaysian bank.
Researchers pegged the less extensive supporter profiles as fake, spotting three of the personas as appearing “elsewhere on the internet associated with different, seemingly legitimate, identities” and noting that none of the 17 could be confirmed as genuine through Open Source research.
“We began searching social media accounts (including LinkedIn) for recruiters who purportedly ‘worked' for the Cleaver companies (Doosan, Teledyne etc.). We found a profile, that although convincing, did not look like a genuine Teledyne, Dossan LinkedIn profile, etc.,” said Finney, explaining that “the language and structure of the profile was odd.”
But once researchers “found one, it was fairly trivial to find the others via endorsements and ‘people also viewed' section on LinkedIn,” he added.
The CTU said through a series of connections and endorsements, the fake personas appear to potential victims to be legitimate, but instead because a level of trust is established could be used with greater success in spearphishing or other malicious attacks.
“Likely the endgame was to get access to the target computer, or the organization's network to steal sensitive information - espionage,” said Finney, adding that determining the level of threat from such a scheme is difficult because “the technique, as it relies on human nature and is very similar to legitimate LinkedIn activity, is tough to guard against. Certainly those in sensitive jobs, or those with access to sensitive information should be on the guard.”
Since TG-2889 appears to be focused on mobile telecom in the Middle-East North-Africa area, the CTU researchers mused that the group's efforts were intended “to obtain data, such as telephone subscriber or telephone billing data” or instead “to engineer access to those companies' telephony networks in order to intercept the communications they carry.”
Finney said targeting is “a means and motivation question. Means – people who do not follow the advice in our TA provide the means for Cyber Threat Groups to exploit them. Motive –those with information which is of interest to the threat group.”