Enterprises and agencies that have been on the fence regarding SIEM services, take note: Based on findings from of a recent study via Dell, LinkedIn is now on the list of tools hackers employ to spy on and isolate potential targets for cyberattacks and espionage.
Iran-based Threat Group-2889
While conducting research on an Iran-based team of hackers known as Threat Group-2889, Dell SecureWorks Counter Threat Unit came across a network of 25 fake professional profiles on LinkedIn. In addition to having fabricated names, profiles, educational information, skills and work experience, the fraudsters connected with seemingly legitimate government agency professionals and other industry leaders. Six of the profiles had more than 500 connections, and several of the spies posed as recruiters from companies including General Motors, Northrop Group, Teledyne Technologies, Airbus and Doosan.
The majority of the targets noted in Dell's report were based in the Middle East and North Africa, more specifically Saudi Arabia, the United Arab Emirates, Pakistan and Qatar. However, the report also revealed that 12 U.S.-based professionals who worked mainly in government, defense and the telecom sector were targeted. Most of the fake personas listed the U.K., the U.S. or South Korea as the country for the account.
What appears to be some relatively innocuous profile stocking is in fact an effective espionage tactic called social engineering, a type of psychological espionage that targets people directly by using information obtained from the Internet and social media. This tactic is commonly employed in phishing scams and other forms of cyberintrusions, and in conjunction with the acquisition of personal information by malicious actors can essentially be used to blackmail professionals into divulging sensitive information or data about a corporation or government agency. Presently, no motive has been pinned to the Iran-based hacker group.
"Creating a network of seemingly genuine and established LinkedIn personas helps TG-2889 identify and research potential victims," the Dell researchers noted. "The threat actors can establish a relationship with targets by contacting them directly, or by contacting one of the target's connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target's LinkedIn network. Five of the Leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets. TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful."
Dell recommended that companies and agencies verify profiles that claim to be associated with them as a precaution against social engineering through online professional networking. While this is especially important for government agency workers and contractors, enterprises should take this advice as well, especially considering the telecom industry was among Threat Group-2889's targets.
The idea that LinkedIn profiles, which have become commonplace in most industries, can be leveraged by hackers makes two things very clear: Firstly, that hackers will leave no possible entry point unexplored; and secondly, that cybersecurity in the form of SIEM services is more important than ever. A company or government agency cannot avoid being put in the line of fire, but with reliable SIEM-as-a-service, they will have a better comprehension of how security threats are trying to get in, with what frequency and to what degree.
Protect your interests, especially if your digital assets are interesting to cyberattackers and spies; consider starting with managed SIEM services.
Cybersecurity news and analysis brought to you by Arctic Wolf, leading provider of managed SIEM services.