While tracking a suspected Iran-based cyber threat group known as Threat Group 2889, the CTU uncovered an extensive network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. The CTU believes this fake network has been created to help the threat actors target potential victims through social engineering. When analyzing the legitimate LinkedIn accounts, associated with the fake accounts, the CTU found that there were 204 legitimate LinkedIn accounts. Most of them belong to individuals in the Middle East, while the others are located in North Africa and South Asia. The CTU assesses, with medium confidence, that these individuals are likely targets of TG-2889.
The majority of the legitimate LinkedIn users (the suspected targets), work in the telecommunications, government and defense sectors.
Connection between TG-2289 and the Op Cleaver Team
Based on strong circumstantial evidence, the CTU believes TG-2889 is the same threat group which security firm Cylance calls the Operation Cleaver team. In Cylance’s December 2014 Op CLEAVER report , they documented how the Cleaver team used the TinyZbotmalware (a password stealer, keystroke logger, multi-functional trojan) and disguised it as a resume application that appeared to allow resumes to be submitted to the U.S. industrial conglomerate Teledyne. According to Cylance, the Cleaver team also used the following domains, which reference companies associated with many of the fake Linked profiles discovered by CTU researchers. Those domains were: Teledyne-Jobs.com; Doosan-Job.com and NorthrupGrumman.net. The CTU believes that TG-2889’s LinkedIn activity is the initial stage of the Op CLEAVER’s fake résumé submitter malware operation,.
Suspected Location of TG-2889
Cylance asserted that the Op Cleaver team is operating, at least in part, out of Iran and cited these reasons in their Op CLEAVER report:
- Persian hacker names are used throughout the Op CLEAVER campaign including: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, and numerous others.
- Numerous domains used in the CLEAVER campaign were registered in Iran.
- Infrastructure leveraged in the attack was registered in Iran to the corporate entity Tarh Andishan, which translates to “invention” or “innovation” in Farsi.
- Source netblocks and ASNs are registered to Iran.
- Hacker tools, used by Op CLEAVER team warn when their external IP address traces back to Iran.
- Part of the Op CLEAVER Team infrastructure is hosted through Netafraz.com, an Iranian provider out of Isfahan, Iran.
CTU has not uncovered any intelligence that contradicts this assessment by Cylance. Additionally, CTU believes its findings, although circumstantial, further support the belief that TG-2889 is working out of Iran. They include:
1. Similar Motus Operandi(MO) to another Iran-based Threat Group – In May 2014, it was reported that an Iran-based threat group, dubbed Newscaster, operated a pool of fake online LinkedIn personas, so as to support targeting of defense contractors, and military and government officials.
2. TG-2889 created a network of fake LinkedIn accounts with many of the fake profiles purporting to work for similar companies used in the Op Cleaver scheme–Five of the most fully developed LinkedIn personas were for recruiters,- purporting to work for two of the same companies (Doosan and Teledyne etc.), which were also used in the fake résumé submitter malware operation detailed in the Op CLEAVER report.
3. Geography and Industries of Suspected Targets of Interest to an Iran-based Threat Group. The CTU believes that the legitimate LinkedIn profiles they discovered are very likely the actual targets of TG-2889. These individuals are primarily located in the Arab states in the Middle-East and North Africa (MENA) region and the industries, in which they work, fall in line with the expected targeting behaviour of a threat group operating out of Iran.
About the Fake LinkedIn Accounts
TG-2889 created an extensive LinkedIn network of 25 profiles . The 25 LinkedIn accounts, fall into two categories: fully developed personas (LEADER) and supporting personas (SUPPORTER). It is clear that TG-2889 invested substantial time and effort into creating and maintaining these personas.
LEADER personas ---These persona accounts are fully completed and include educational history, current and previous job descriptions, and, sometimes, vocational qualifications and membership of LinkedIn groups. Of the eight identified, six have 500 connections and of the remaining two, one has 275 connections and the other 46 connections. Of the eight LEADER profiles, five purport to work as recruiters for Teledyne, Northrop Grumman, and Airbus Group. The remaining three leaders purport to work for Doosan and Petrochemical Industries Co.
The Teledyne, Northrop Grumman and Doosan domains were all used in the Operation Cleaver activity, thus providing another link between the Op Cleaver team and TG-2889.
How Did Dell SecureWorks Determine the Eight LEADER Profiles were Fake?
Open source research on the content of LEADER profiles provided compelling evidence they were fake:
- One of the profile photographs appears on numerous other websites, including adult sites and is linked to multiple identities.
- One profile’s ‘summary’ is identical to that of legitimate LinkedIn profile.
- The same profile’s employment history is copied from a sample résumé downloaded from a recruitment website.
- Another profile’s employment role profile is copied from genuine Teledyne and ExxonMobil job adverts.
- Another’s LinkedIn role profile is copied from (see Figure 2. Of Report) a legitimate job advert from a Malaysian bank (see Figure 3 of Report).
Supporter Personas---In contrast to LEADER personas, the 17 SUPPORTER personas developed by TG-2889 are far less developed. They all use the same basic template, having five connections and a simple description of one job.
How did the CTU Determine the Supporter Personas were Fake?
Profile photographs for three of the SUPPORTER personas appear elsewhere on the internet associated with different, seemingly legitimate, identities. Open Source research on the 17 SUPPORTER personas failed to confirm any of the identities were genuine. CTU researchers assess that, like the LEADER personas, the SUPPORTER personas are fake.
Targeting LinkedIn Users
The CTU believes that creating a network of seemingly genuine and established LinkedIn personas helps TG-2889 identify and research potential victims. The threat actors can establish a relationship with targets by contacting them directly, or by contacting one of the target’s connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target’s LinkedIn network.
Five of the Leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets. TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful.
In addition to the fake SUPPORTER personas endorsing the LEADER personas, seemingly genuine LinkedIn users have also endorsed LEADER persona accounts. As provision of an endorsement implies an interaction between two accounts, it is likely these genuine users are part of the LEADER personas’ networks, and it is therefore very possibly the actual targets of TG-2889.
A quarter of the targets work in the telecoms sector; Middle-Eastern and North African mobile telephony suppliers feature heavily. A significant minority work for Middle-Eastern governments and for defense organizations based in the Middle East and South Asia.
TG-2889 seems to have a focus on the mobile telecoms sector in the Middle-East North-Africa (MENA) region. One wonders whether it is a) to obtain data, such as telephone subscriber or telephone billing data b) or to engineer access to those companies’ telephony networks in order to intercept the communications they carry.
What do you think TG-2889 (Op Cleaver team) group’s objective is?
We assess this group is tasked with obtaining confidential information for cyber espionage purposes. This assessment is based on the inferred targeting of Arab middle-eastern companies, governments, and defense organizations.
How did the CTU Discover this Network of Fake LinkedIn Profiles?
CTU researchers are constantly monitoring and researching targeted threat groups and in order to best protect its clients they seek ways to disrupt a threat group’s activity at the earliest stage possible – the higher up the kill-chain they can strike, the better. When reviewing Cylance’s Op CLEAVER report, in conjunction with iSIGHT’s NEWSCASTER report (the CTU believes the Cleaver Team, the team referenced in the NEWCASTER report and TG-2889 are all the same group) the CTU wondered whether the same MO, of using social media for targeting victims described in NEWSCASTER, had been employed during the activity described in CLEAVER.
The CTU began searching social media accounts (including LinkedIn) for recruiters who purportedly ‘worked’ for the companies listed in the CLEAVER report (Doosan, Teledyne etc.).
They found a profile, that although quite convincing, did not look like a genuine Teledyne or Dossan etc. LinkedIn profile; the language and structure of the profile was odd. Once they found one, it was fairly trivial to find the others via endorsements and ‘people also viewed’ section on LinkedIn. As soon as the CTU uncovered the Supporter profiles, they were sure they had uncovered a network of fake profiles.
Dell SecureWorks notified LinkedIn of the 25 fake profiles, and LinkedIn immediately took the profiles down. Additionally, Dell SecureWorks notified all of the organizations, whose brand, was being used in the scheme and notified law enforcement.
Current Status of TG-2889 and How to Protect Against this Threat
Recent updates to profile content, such as employment history, suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical.
It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:
- Avoid contact with known fake personas.
- Only connect to personas belonging to individuals they know and trust.
- Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not verified outside of LinkedIn.
- When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer.
Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites. If an organization discovers that a LinkedIn persona is fraudulently claiming an association with the company, it should contact LinkedIn. Creating false identities and misrepresenting an association with an organization is a breach of LinkedIn's terms and conditions.