“While tracking a suspected Iran-based threat group known as Threat Group-2889 (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering.” states a blog post published by the Dell’s Counter Threat Unit. The experts labelled the Cleaver group TG-2889.“Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.” Security experts speculate that the Cleaver group has been created by the Iranian Government in in the wake of the Stuxnet attack against the nuclear facility in Natanz. The list of targets identified by the researchers at Cylance is very long and includes at least one military entity in the US by name, the Navy Marine Corps Intranet (NMCI) and organizations in several industries such as energy and utilities. The previous report also revealed that airports, principal airlines, government agencies, transportation companies, telecommunications operators, defense contractors and educational institutions are among the targeted institutions. The experts revealed that during the period of observation, the threat actors have rapidly improved their cyber capabilities. Now the Cleaver is exploiting the popular professional social network LinkedIn for intelligence gathering activities, the group used six so-called Leader profiles that have more than 500 profile connections and a number of Supporter personas what are less developed than for Leader personas. The leader profiles were used by the threat actors to conduct spear phishing attacks or to redirect users to malicious websites hosting exploit kits. The experts at Dell’s Counter Threat Unit who investigated the case, discovered that the fake profiles used by the Cleaver hacking crew claim individuals are employees at companies including defence contractor Northrop Grumman, Malaysia’s RHB Bank, US tech firm TeleDyne and South Korean holding firm Doosan. The researchers conducting OSIT researchers discovered that “the Leader profiles” were fraudulent, hackers used the same profile images for multiple identities across numerous websites. The hackers also copied the summary section in LinkedIn profiles from legitimate LinkedIn profile, meanwhile the employment history matches a sample résumé downloaded from a recruitment website. Hackers also used job advertisements from Teledyne and ExxonMobil companies and legitimate job posting from a Malaysian bank in order to create a trustable job description. The Cleaver hackers have created a network of credible professional enforced by the use of the endorsements mechanism. The Supporter personas appears to be to provide LinkedIn skills endorsements for Leader profiles as it is visible in the following graph. fake recruiting accounts on LinkedIn used for intelligence gathering about security experts. A few months ago, researchers from iSIGHT Partners uncovered a group of Iranian hackers who was using more than a dozen fake profiles to infiltrate social networking websites with cyber espionage purpose. “These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content,” iSIGHT Partners explained. Iranian spies used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, as reported in the analysis published by iSIGHTPartners.