The CTU, the Dell SecureWorks research team, uncovered fake LinkedIn profiles and an extensive, convincing network created by the Iran-based Threat Group 2889.
The CTU, the Dell SecureWorks research team, uncovered fake LinkedIn profiles and an extensive, convincing network created by the Iran-based Threat Group 2889.

The Counter Threat Unit (CTU), the Dell SecureWorks research team, uncovered an initiative by an Iran-based threat group it dubbed Threat Group 2889, to create a network of fake LinkedIn profiles for “obtaining confidential information they can use for cyber espionage purposes.”

The team said the intent of the group was to use what researchers called “convincing profiles” in a self-referenced network to zero in on victims through social engineering. The “extensive” network included fake personas of “recruiters” from Northrup Grumman, Teledyne and other international companies as well as 204 legitimate LinkedIn accounts, the bulk of which belong to company employees in the U.S., Europe, the Middle East, South Asia and North Africa.

CTU Senior Researcher Tom Finney told in a Wednesday email correspondence that the team was “not surprised about the use of LinkedIn for this kind of activity,” noting that “the exact activity LinkedIn facilitates, professional networking , is vulnerable to misuse by those wanting to form trust relationships for nefarious reasons.”

He called the scheme, “the electronic equivalent of the spy, portraying a harmless employee, showing up at a regular business networking function and making lots of connections with the other guests.” 

But Finney said, “What was surprising was the reuse of established fake LinkedIn accounts, by giving them a totally new persona, whilst maintaining its connections and network, which we thought was rather innovative.”

The elaborate ruse was discovered by the CTU as it tracked TG-2889, which, based on the use of certain domains, the Dell researchers believe to be the same group that Cylance refers to as Operation Cleaver, and that the LinkedIn scheme “is the initial stage of the Op Cleaver's fake résumé submitter malware operation,” according to release. 

Cylance had noted that the Operation Cleaver group operated, at least in part, out of Iran, citing many domains registered in Iran, infrastructure registered in Iran to theTarh Andishan corporation, whose name in Farsi means “invention” or “innovations” and netblocks and ASNs that are also registered to Iran. Cylance had also said that hacker tools used by Operation Cleaver were traced back to Iran and Iranian provider hosts part of the group's infrastructure.

“CTU has not uncovered any intelligence that contradicts this assessment by Cylance,” the release said, noting that, in fact, the team found additional evidence to support the contention that the group is operating from Iran, including that a handful of the fake LinkedIn personas purportedly worked for the same companies used in Op Cleaver's fake malware resume submitter malware initiative. And many of the legitimate LinkedIn profiles that were likely targets of TG-2889 were located in Arab states in the Mideast and North Africa.

“When reviewing Cylance's Op Cleaver report, in conjunction with iSIGHT's Newscaster (both Iranian threat groups and we think are likely the same group) we wondered whether the same MO of using social media for targeting described in Newscaster had been employed by during the activity described in the OP Cleaver report,” said Finney.