The Iranian hacker group, Cleaver, has been directing a cyber spying campaign at bodies in the Middle East across a network of fake LinkedIn accounts.
The hacking gang created a web of at least 25 convincing LinkedIn profiles, according to the Dell SecureWorks Counter Threat Unit (CTU). While the researchers were monitoring the suspect threat organisation Threat Group-2889 (TG-2889), they uncovered the accounts which had been established to target potential victims through social engineering.
A Dell CTU blog states that the prime targets of the attack were based in the Middle East, with the highest number of legitimate LinkedIn accounts connected to the fake accounts belonging to these individuals. The researchers explained that the fake profiles were being used to execute spear phishing attacks, or other tactics to redirect victims to malicious sites with hidden exploit kits.
It is thought that the threat actors are now using the professional network to gather intelligence using six ‘leader’ profiles, each with over 500 connections, and a collection of ‘supporter’ accounts. Among the fake accounts were the supposed profiles of employees at defence contractor Northrop Grumman, Malaysian bank RHB, U.S. tech company TeleDyne and South Korean holding firm Doosan.
According to Dell’s CTU, the hackers ascribed full education history, current and previous job roles, vocational qualifications and LinkedIn group memberships to fully illustrate the accounts. Recruitment advertisements posted on company websites were also used to create a convincing job description for the ‘leader’ accounts. Additionally, skill endorsements from the ‘supporter’ accounts also boosted credibility.
‘The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas,’ reads the Dell report. ‘Five of the leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets.’