14 DAY TRIAL // Iran-based hackers are building a network of fake LinkedIn user profiles with the aim of entering business circles for telecommunications and defense contractors.
According to Dell's SecureWorks Counter Threat Unit Threat Intelligence team, the group which they've internally named Threat Group-2889 (TG-2889), seems to be the same group of hackers that Cylance and the FBI warned about in December 2014, when they've carried out Operation Cleaver, with the purpose of infiltrating critical infrastructure points around the world.
Dell says that the group is now building a network of fake user profiles on LinkedIn, creating fake identities for high-tech professionals and trying to get in contact with various companies in different countries.
The group is particularly interested in domains like aerospace, defense, military, chemical, energy, government, and education. Most targets are from the telecommunications field, from companies located in the Middle East and North Africa.
In fact, countries in the Middle East make up the majority of targeted states. The top 5 is Saudi Arabia (39 businesses), Qatar (28), United Arab Emirates (27), Pakistan (17), and the United States (12).
Analysis of the Linked network of fake profiles
Dell has managed to identify 25 of the fake LinkedIn profiles until now, and says that they've all been created to support 8 accounts, called "leader personas."
The other accounts only exist to support the leaders giving them credibility and creating a network of followers around them.
While the follower accounts are quite spartan, the leader accounts are very well maintained and have a lot of details, the TG-2889 members going the distance to join various LinkedIn groups, and even updating their listings regularly, changing names and pictures before someone catches on.
This type of social engineering scam is not new and has been used before in May 2014 by another Iran-based threat group, and even this past September when a similar network of fake LinkedIn personas was being built around InfoSec professionals.
