While tracking a suspected Iran-based cyber-threat group known as Threat Group 2889, Dell SecureWorks’ CTU uncovered an extensive network of fake LinkedIn profiles, which has been created to help the threat actors target potential victims through social engineering.
These convincing profiles form a self-referenced network of 25 seemingly established LinkedIn users. But when analyzing what’s associated with the fake accounts, the CTU found that there were 204 legitimate LinkedIn accounts also in the network. Most of them belong to individuals in the Middle East, while the others are located in North Africa and South Asia—and are likely targets of TG-2889. Most work in the telecommunications, government and defense sectors.
The 25 faux LinkedIn accounts fall into two categories: Fully developed personas (leader accounts) and supporting personas.
“It is clear that TG-2889 invested substantial time and effort into creating and maintaining these personas,” CTU noted.
Leader persona accounts are fully completed and include educational history, current and previous job descriptions, and, sometimes, vocational qualifications and membership of LinkedIn groups. Of the eight identified, six have 500 connections and of the remaining two, one has 275 connections and the other 46 connections. Of the eight leader profiles, five purport to work as recruiters for Teledyne, Northrop Grumman and Airbus Group. The remaining three leaders purport to work for Doosan and Petrochemical Industries Co.
The others are far less developed. They all use the same basic template, having five connections and a simple description of one job.
CTU found that profile photographs for three of the supporter personas appear elsewhere on the internet associated with different, seemingly legitimate, identities. Open Source research on the 17 supporter personas failed to confirm that any of the identities were genuine.
The network allows the threat actors to establish a relationship with targets by contacting them directly, or by contacting one of the target’s connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target’s LinkedIn network. Five of the Leader personas also claim to be recruitment consultants, which would provide a pretext for contacting targets. TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful.
The CTU believes TG-2889 is the same threat group that security firm Cylance calls the Operation Cleaver team. As the CTU explained in an analysis:
“Based on strong circumstantial evidence, in Cylance’s December 2014 Op CLEAVER report , they documented how the Cleaver team used the TinyZbotmalware (a password stealer, keystroke logger, multi-functional trojan) and disguised it as a resume application that appeared to allow resumes to be submitted to the U.S. industrial conglomerate Teledyne. According to Cylance, the Cleaver team also used the [certain] domains, which reference companies associated with many of the fake Linked profiles discovered by CTU researchers.Those domains were: Teledyne-Jobs.com; Doosan-Job.com and NorthrupGrumman.net. The CTU believes that TG-2889’s LinkedIn activity is the initial stage of the Op CLEAVER’s fake résumé submitter malware operation.”
Dell SecureWorks notified LinkedIn of the 25 fake profiles, and LinkedIn immediately took the profiles down. Additionally, Dell SecureWorks notified all of the organizations, whose brand, was being used in the scheme and notified law enforcement. However, recent updates to profile content, such as employment history, suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical.