A skilled hacking crew, thought to operate out of Iran, is behind an elaborate phishing scheme on LinkedIn targeting employees in telecoms, government agencies, and defence contractors.
Researchers at Dell's SecureWorks have released an analysis of a hacking crew it's dubbed Threat Group 2889, which is using at least 25 bogus but thoroughly developed LinkedIn profiles to draw in potential targets.
The leading personas have richly-detailed work histories and about 500 contacts, while supporter personas help bolster the leaders' endorsements and credibility.
SecureWork's analysis builds on earlier work by security firm Cylance. In December Cylance detailed the activities of an Iranian hacking crew it called Cleaver, which had, over a two-year period, hacked into 50 organisations across Europe, North America, and the Middle East, including military units, airlines, airports, universities, defence contractors, and energy companies.
"Based on strong circumstantial evidence, CTU researchers assess that TG-2889 is linked to the activity that Cylance described," SecureWorks noted.
The bogus recruiters on LinkedIn build on the group's previously reported recruitment ruse to infect and phish details from targets.
According to Cylance, the group used multiple attack techniques, including SQL injection, numerous software exploits, and TinyZBot, a variant of the notorious Zeus malware the group customised for its surveillance work.
The Zeus variant allowed it to gather information on infected machines by logging keystrokes, capturing screenshots, disabling antivirus, and remotely adding new components.
The malware was disguised as a resume submission system that purported to deliver resumes to the industrial conglomerate Teledyne. Both security vendors note the group used domains that passed themselves off as the recruitment pages of the real corporations Teledyne, Doosan, and Northrop Grumman.
As Cylance noted, the Iranian hacking group emerged in the wake of Stuxnet, the malware that is thought to have been developed by the US, to aid its mission to sabotage Iranian's uranium enrichment facility.
LinkedIn has become somewhat of a preferred tool for hackers to gather information about targets in a particular industry. In September, researchers at Finnish security firm F-Secure who received invitations from fake recruiters laid out in detail the techniques used in that scheme.
Though the bogus recruiters merely sent invitations to numerous security researchers, Yonathan Klijnsma, a researcher from Dutch security firm Fox-IT, highlighted the activity would have allowed the attacker to map out the industry's social connections.
Exactly why an attacker would do that was never discovered, but about one month after accepting an invitation, the fake recruiter would vanish from the target's connections.