Iran

Report: Iranian Hackers Using LinkedIn to Acquire Sensitive Defense Information

A group of Iranian hackers set up a system of LinkedIn profiles to pry sensitive information from people in the defense and telecom sectors, The Wall Street Journal reported Wednesday.

This tactic, known as “social engineering,” is one where hackers trick people to get them to cough up personal or sensitive information. “Having those trust relationships gives [hackers] a platform to do a bunch of different things,” said Tom Finney, a security researcher at Dell Secureworks.

The 25 fake profiles described in the report were connected to more than 200 legitimate LinkedIn profiles — mostly individuals based in the Middle East who worked in sectors like telecom and defense. Those individuals and their companies likely have information that would be of interest to an Iranian cyber group, Dell Secureworks said. …

Dell SecureWorks say they believe the group behind the fake LinkedIn profiles, labeled internally as “TG-2889,” is the same Iran-based group that also created malware last year disguised as a resume application submitter for a job opening; as the victim filled out the fake job application, the malware took over the victims’ computers, a scheme that was uncovered in a separate security firm’s report last year.

CNBC provided further details of the scheme.

A few of the accounts were of “leader” figures — their LinkedIn profiles suggested they held important jobs in technology, banking, oil and other industries, and some had more than 500 connections. Others were of “supporters” — profiles created to give endorsements and credibility to the “leaders.”

“The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas,” the report said. “The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity.”

LinkedIn said that the 25 fake profiles have been deleted.

Earlier this year, the United States recruited Israel and Great Britain to help fight growing cyber threats from Iran. An Israeli cybersecurity firm identified a wave of Iranian-backed hacking attacks on Israeli, Saudi Arabian, and Yemeni targets in June. In August it was reported that Iranian hacking attempts had targeted domestic dissidents.

In Iran Has Built an Army of Cyber-Proxies, which was published in the August 2015 issue of The Tower Magazine, Jordan Brunner wrote about Iran’s growing hacking capabilities and the tactics used by groups sponsored by Iran.

Lebanon’s neighbor, Syria, is home to the Syrian Electronic Army (SEA), which employs cyber-warfare in support of the Assad regime. There are rumors that indicate it is trained and financed by Iran. The SEA’s mission is to embarrass media organizations in the West that publicize the atrocities of the Assad regime, as well as track down and monitor the activities of Syrian rebels. It has been very successful at both. The SEA has attacked media outlets such as The Washington Post, the Chicago Tribune, the Financial Times, Forbes, and others. It has also hacked the software of companies like Dell, Microsoft, Ferrari, and even the humanitarian program UNICEF.

The group has carried out its most devastating cyber-attacks against the Syrian opposition, often using the anonymity of online platforms to its advantage. For example, its hackers pose as girls in order to lure opposition fighters into giving up seemingly harmless information that can lead to lethal crackdowns. The SEA’s sophisticated use of cyberspace developed in a very short time, and it is reasonable to infer that this was due to Iranian training. Iran has long supported the ruling Assad regime in Syria and would be happy to support those who support him.

In recent months, a group called the Yemen Cyber Army (YCA) has arisen, hacking into systems that belong to Saudi Arabia. The YCA supports the Houthi militia, which is fighting the Yemenite government and the Saudis; the Houthis are, in turn, supported by Iran. Thus far, the YCA has attacked Saudi Arabia’s Foreign, Interior, and Defense Ministries. They have also hacked the website of the Saudi-owned newspaper Al-Hayat. Messages from the group indicate that they are sponsored by Iran, and might even be entirely composed of Iranians.

[Photo: Norbert Tydingco / Flickr ]