Do you remember the Iran-based APT Cleaver? In December the security firm Cylance released a detailed report on the hacking Operation Cleaver that was run by state-sponsored hackers linked to the Iran. The Iranian hackers targeted critical infrastructure worldwide, ten of which are located in the United States.
The Cleaver group is once again in the headlines, the hacking crew has created a network of at least 25 well-developed LinkedIn profiles to manage a social engineering campaign that is targeting entities the Middle East.
“While tracking a suspected Iran-based threat group known as Threat Group-2889 (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering.” states a blog post published by the Dell’s Counter Threat Unit. The experts labelled the Cleaver group TG-2889.
“Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.”
The list of targets identified by the researchers at Cylance is very long and includes at least one military entity in the US by name, the Navy Marine Corps Intranet (NMCI) and organizations in several industries such as energy and utilities. The previous report also revealed that airports, principal airlines, government agencies, transportation companies, telecommunications operators, defense contractors and educational institutions are among the targeted institutions.
The experts revealed that during the period of observation, the threat actors have rapidly improved their cyber capabilities.
Now the Cleaver is exploiting the popular professional social network LinkedIn for intelligence gathering activities, the group used six so-called Leader profiles that have more than 500 profile connections and a number of Supporter personas what are less developed than for Leader personas.
The leader profiles were used by the threat actors to conduct spear phishing attacks or to redirect users to malicious websites hosting exploit kits.
The experts at Dell’s Counter Threat Unit who investigated the case, discovered that the fake profiles used by the Cleaver hacking crew claim individuals are employees at companies including defence contractor Northrop Grumman, Malaysia’s RHB Bank, US tech firm TeleDyne and South Korean holding firm Doosan.
The researchers conducting OSIT researchers discovered that “the Leader profiles” were fraudulent, hackers used the same profile images for multiple identities across numerous websites. The hackers also copied the summary section in LinkedIn profiles from legitimate LinkedIn profile, meanwhile the employment history matches a sample résumé downloaded from a recruitment website. Hackers also used job advertisements from Teledyne and ExxonMobil companies and legitimate job posting from a Malaysian bank in order to create a trustable job description.
The Cleaver hackers have created a network of credible professional enforced by the use of the endorsements mechanism.
The Supporter personas appears to be to provide LinkedIn skills endorsements for Leader profiles as it is visible in the following graph.
The researchers also spotted a novel technique, two Leader profiles appear to be duplicates and while CTU experts were analyzing the profiles, the Cleaver actors altered two of the Leader LinkedIn accounts by replacing profile name and photograph with a new identity.
“The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas,” states the report published by Dell. “Five of the leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets.”
The exploitation of social network for cyber espionage is not new, in September security researchers have uncovered a group of fake recruiting accounts on LinkedIn used for intelligence gathering about security experts.
A few months ago, researchers from iSIGHT Partners uncovered a group of Iranian hackers who was using more than a dozen fake profiles to infiltrate social networking websites with cyber espionage purpose.
“These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content,” iSIGHT Partners explained.
Iranian spies used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, as reported in the analysis published by iSIGHTPartners.
(Security Affairs – LinkedIn, intelligence)