The Cleaver group is once again in the headlines managing a well-developed network of fake LinkedIn profiles for cyber espionage purpose.
Do you remember the Iran-based APT Cleaver? In December the security firm Cylance released a detailed report on the hacking Operation Cleaver that was run by state-sponsored hackers linked to the Iran. The Iranian hackers targeted critical infrastructure worldwide, ten of which are located in the United States.
The Cleaver group is once again in the headlines, the hacking crew has created a network of at least 25 well-developed LinkedIn profiles to manage a social engineering campaign that is targeting entities the Middle East.
“While tracking a suspected Iran-based threat group known as Threat Group-2889 (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering.” states a blog post published by the Dell’s Counter Threat Unit. The experts labelled the Cleaver group TG-2889.
“Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.”
Security experts speculate that the Cleaver group has been created by the Iranian Government in in the wake of the Stuxnet attack against the nuclear facility in Natanz.
The list of targets identified by the researchers at Cylance is very long and includes at least one military entity in the US by name, the Navy Marine Corps Intranet (NMCI) and organizations in several industries such as energy and utilities. The previous report also revealed that airports, principal airlines, government agencies, transportation companies, telecommunications operators, defense contractors and educational institutions are among the targeted institutions.
The experts revealed that during the period of observation, the threat actors have rapidly improved their cyber capabilities.
Now the Cleaver is exploiting the popular professional social network LinkedIn for intelligence gathering activities, the group used six so-called Leader profiles that have more than 500 profile connections and a number of Supporter personas what are less developed than for Leader personas.
The leader profiles were used by the threat actors to conduct spear phishing attacks or to redirect users to malicious websites hosting exploit kits.
The experts at Dell’s Counter Threat Unit who investigated the case, discovered that the fake profiles used by the Cleaver hacking crew claim individuals are employees at companies including defence contractor Northrop Grumman, Malaysia’s RHB Bank, US tech firm TeleDyne and South Korean holding firm Doosan.
The researchers conducting OSIT researchers discovered that “the Leader profiles” were fraudulent, hackers used the same profile images for multiple identities across numerous websites. The hackers also copied the summary section in LinkedIn profiles from legitimate LinkedIn profile, meanwhile the employment history matches a sample résumé downloaded from a recruitment website. Hackers also used job advertisements from Teledyne and ExxonMobil companies and legitimate job posting from a Malaysian bank in order to create a trustable job description.
The Cleaver hackers have created a network of credible professional enforced by the use of the endorsements mechanism.
The Supporter personas appears to be to provide LinkedIn skills endorsements for Leader profiles as it is visible in the following graph.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
Share On
