Foreign Intelligence Targeting Security and IT Professionals

For the past several weeks an intelligence-gathering campaign has been using fake LinkedIn recruiter profiles to map out the professional networks of IT security experts, researchers from F-Secure have discovered. Researchers from Finnish antivirus firm F-Secure decided to look into it after some of the company’s own staff were targeted.

The accounts, most of which were for female identities, appeared to belong to recruiters for particular security industry specialties like malware analysis, embedded security, mobile security, cryptography, automotive security or digital forensics. Two accounts were specifically hunting security executives.

There are multiple cases where attackers have used fake LinkedIn profiles to gather sensitive information about organizations and their employees. Knowing who is the manager of a particular department in a company or who is a member of the organization’s IT staff can be very useful in planning targeted attacks.

This campaign has been attributed to Russian actors.

In May 2014, cyber intelligence firm iSIGHT Partners outed a group of Iranian threat actors, who were found using more than a dozen fake personas on popular social networking sites to run a wide-spanning cyber espionage operation since 2011.

“These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content,” iSIGHT Partners said.

People tend to expose a lot of information on LinkedIn about their work environments, colleagues, the company’s infrastructure and even internal projects.

The incident should serve as a reminder to employees everywhere that accepting connection requests from unknown persons on social media can be dangerous and so is detailing your existing work duties in online resumes.

UPDATE 10/09/15:

While tracking a suspected Iran-based threat group known as Threat Group-2889 (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. Researchers assess with high confidence the purpose of this network is to target potential victims through social engineering.

The threat actors can establish a relationship with targets by contacting them directly, or by contacting one of the target’s connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target’s LinkedIn network. Five of the Leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets. TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful.

The report documented threat actors using malware disguised as a résumé application that appeared to allow résumés to be submitted to the industrial conglomerate Teledyne. Cylance reported the use of the following domains, which reference companies associated with many of the fake LinkedIn,,

Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical.

It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. Researchers advise organizations to educate their users of the specific and general risks:

  • Avoid contact with known fake personas.
  • Only connect to personas belonging to individuals they know and trust.
  • Adopt a position of sensible caution when engaging with members of colleagues’ or friends’ networks that they have not verified outside of LinkedIn.
  • When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual’s purported employer.
  • Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites. If an organization discovers that a LinkedIn persona is fraudulently claiming an association with the company, it should contact LinkedIn.

Further Information: