The fake personas fell into two groups: one set that were fully developed profiles posing as recruiters for major worldwide government contractors and international corporations, and another set that were less developed and designed to lend legitimacy to the primary accounts through endorsements and connections. The report from the Dell computer company’s Secure Works unit identified the group behind the profiles as “TG 2889,” and researchers said there was strong circumstantial evidence that the group operates out of Iran. The hackers employed a number of companies matched to computer domains used in attacks that had previously been attributed to cyber attackers from Iran, and the spread of targets in the Middle East, Arab states, North Africa and the US would be consistent with an Iranian source.
Researchers said the cyber spies were posing mainly as recruiters from major international companies including Northrop Grumman, General Motors, Teledyne Technologies, Doosan and Airbus.
The hackers seemed to be having success—more than 200 legitimate LinkedIn users had connected with the 25 fake accounts that researchers analyzed. The majority of the targets were from Saudi Arabia, Qatar, United Arab Emirates and Pakistan, but 12 were from the US.
Many of the targets worked in the telecom sector, government and defense. It wasn’t known if any of targets were Iranian-Americans.
The fake LinkedIn profiles allow hackers to spy by helping them engage in “social engineering”—researching targets based on information on the Internet and social media to build a tailored phishing attack. Once the cyber spies establish a connection with the targets, they can send them malicious software hidden in links and attachments to emails that can compromise their computer, giving the hackers access to highly sensitive information.
The previously described Iranian group, for example, used malicious software hidden in what looked like a resume application to go after its targets.
Iran is considered one of the top concerns for the U.S. in cyberspace along with China, Russia and North Korea.
Dell researchers recommended that LinkedIn users only engage with profiles they know to be authentic and suggested companies do a better job of ensuring that profiles of individuals claiming to work for them are real.