• Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence
  • Date: 07 October 2015

Summary

While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.

Fake LinkedIn accounts

The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity.

Leader personas

Profiles for Leader personas include full educational history, current and previous job descriptions, and, sometimes, vocational qualifications and LinkedIn group memberships. Of the eight Leader personas identified by CTU researchers, six have more than 500 connections (see Figure 1).

Figure 1. Example Leader LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)

Figure 1. Example Leader LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)

The results of open-source research conducted by CTU researchers provided compelling evidence that the Leader profiles were fraudulent:

  • One of the profile photographs is linked to multiple identities across numerous websites, including adult sites.
  • The summary section in one profile is identical to the summary in a legitimate LinkedIn profile, and the employment history matches a sample résumé downloaded from a recruitment website.
  • In another profile, a job description was copied from genuine Teledyne and ExxonMobil job advertisements.
  • The job description in yet another profile (see Figure 2) was copied from a legitimate job posting from a Malaysian bank (see Figure 3).

Figure 1. Example Leader LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)
Figure 2. Job description from Leader persona profile. (Source: Dell SecureWorks)

Figure 3. Malaysian bank job posting matching a job description associated with a fake Leader LinkedIn profile. (Source: Dell SecureWorks)

Figure 3. Malaysian bank job posting matching a job description associated with a fake Leader LinkedIn profile. (Source: Dell SecureWorks)

Five of the Leader personas purport to work for Teledyne, an American industrial conglomerate. In addition, one claims to work for Doosan (an industrial conglomerate based in South Korea), one for Northrop Grumman (a U.S. aerospace and defense company), and one for Petrochemical Industries Co., (a Kuwaiti petrochemical manufacturing company).

Supporter personas

Profiles for Supporter personas are far less developed than for Leader personas. They all use the same basic template with one simple job description, and they all have five connections (see Figure 4). Profile photographs for three of the Supporter personas appear elsewhere on the Internet, where they are associated with different, seemingly legitimate, identities. As with the Leader profiles, open-source research indicates that the Supporter profiles are also fake.

Figure 4. Example Supporter LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)

Figure 4. Example Supporter LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)

Building credibility via endorsements

The purpose of the Supporter personas appears to be to provide LinkedIn skills endorsements for Leader personas, likely to add legitimacy to the Leader personas. As shown in Figure 5, most of the Supporter accounts identified by CTU researchers have endorsed skills listed on the profiles of the Leader personas. Although unable to view Leader personas' LinkedIn connections, CTU researchers suspect the threat actors use the Supporter accounts to provide the Leader profiles with an established network, which also enhances credibility.

Figure 5. TG-2889 uses Supporter accounts (gray) to endorse the skills of Leader personas (green). (Source: Dell SecureWorks)

Figure 5. TG-2889 uses Supporter accounts (gray) to endorse the skills of Leader personas (green). (Source: Dell SecureWorks)

Novel technique

Although CTU researchers identified eight Leader profiles, two appear to be duplicates that have different identities associated with the same account. While CTU researchers were analyzing the profiles, the threat actors altered two of the Leader LinkedIn accounts. The original profile name and photograph were replaced with a new identity, and the current job was updated: in one case replacing Teledyne with Northrup Grumman (see Figure 6) and in the second replacing Teledyne with Airbus Group.

Figure 6. LinkedIn screenshots showing replacement of original Pamela McCoy persona with Christine Russell. The alphanumerical LinkedIn ID, a1/7b/955, remains the same. (Source: Dell SecureWorks)

Figure 6. LinkedIn screenshots showing replacement of original Pamela McCoy persona with Christine Russell. The alphanumerical LinkedIn ID, a1/7b/955, remains the same. (Source: Dell SecureWorks)

Changing personas associated with existing profiles was a clever exploitation of LinkedIn functionality because the new identities inherit the network and endorsements from the previous identity. These attributes immediately make the new personas appear established and credible, and the transition may prevent the original personas from being overexposed.

Targeting LinkedIn users

Creating a network of seemingly genuine and established LinkedIn personas helps TG-2889 identify and research potential victims. The threat actors can establish a relationship with targets by contacting them directly, or by contacting one of the target's connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target's LinkedIn network.

Five of the Leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets. TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful.

Targets

Seemingly legitimate LinkedIn users have also endorsed Leader personas. Endorsements are granted by connections, indicating that these legitimate users are part of the Leader personas' networks. Therefore, they are likely TG-2889 targets. Examination of the profiles associated with the endorsements revealed 204 potential TG-2889 targets. As shown in Figure 7, most are based in the Middle East.

Figure 7. Legitimate endorsers of fake TG-2889 LinkedIn accounts by country. (Source: Dell SecureWorks)

Figure 7. Legitimate endorsers of fake TG-2889 LinkedIn accounts by country. (Source: Dell SecureWorks)

A quarter of the targets work in the telecommunications vertical; Middle Eastern and North African mobile telephony suppliers feature heavily. A focus on these types of targets may indicate that TG-2889 is interested in acquiring data held by these organizations or gaining access to the services they operate. A significant minority of identified targets work for Middle Eastern governments and for defense organizations based in the Middle East and South Asia.

Attribution

Based on strong circumstantial evidence, CTU researchers assess that TG-2889 is linked to the activity that Cylance described in its December 2014 Operation CLEAVER report. The report documented threat actors using malware disguised as a résumé application that appeared to allow résumés to be submitted to the industrial conglomerate Teledyne. Cylance reported the use of the following domains, which reference companies associated with many of the fake LinkedIn profiles identified by CTU researchers:

  • Teledyne-Jobs.com
  • Doosan-Job.com
  • NorthropGrumman.net

Cylance attributed the Operation CLEAVER activity to a threat group operating at least in part out of Iran. CTU researchers have not uncovered any intelligence that contradicts this assessment. Furthermore, the strong focus suggested by the endorsement analysis on targets from Arab states in the Middle East and North Africa (MENA) region is in line with the expected targeting behavior of a threat group operating out of Iran.

Ongoing threat

Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical.

It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:

  • Avoid contact with known fake personas.
  • Only connect to personas belonging to individuals they know and trust.
  • Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not verified outside of LinkedIn.
  • When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer.

Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites. If an organization discovers that a LinkedIn persona is fraudulently claiming an association with the company, it should contact LinkedIn. Creating false identities and misrepresenting an association with an organization is a breach of LinkedIn's terms and conditions.

Appendix — Fake LinkedIn personas created by TG-2889

Table 1 lists details associated with Leader and Supporter personas created by TG-2889. The pairs shaded in dark gray are different identities associated with the same LinkedIn account. The only difference in the profile links of the shared accounts is the persona name.

Type Name and profile link Role Country Connections Company
Leader Jon Sam Park
https://www.linkedin.com/pub/jong-sam-park/a0/a46/3
Network Administrator Korea 500 Doosan
Leader Pamela McCoy
https://www.linkedin.com/pub/pamela-mccoy/a1/7b/955
Recruitment Consultant United States 500 Teledyne Technologies Incorporated
Leader Christine Russell
https://www.linkedin.com/pub/christine-russell/a1/7b/955
International Recruitment Consultant United States 500 Northrop Grumman
Leader Timothy Stokes
https://www.linkedin.com/pub/timothy-stokes/a0/a75/b46
Recruitment Consultant United States 500 Teledyne Technologies Incorporated
Leader Matilda Aronson
https://kr.linkedin.com/pub/matilda-aronson/a1/4a5/227
Recruitment Consultant Korea 500 Teledyne Technologies Incorporated
Leader Petra Hedegaard
https://kr.linkedin.com/pub/petra-hedegaard/a1/4a5/227
Recruitment Consultant Korea 500 Airbus Group
Leader Hassan (Baqeri) Al Huwaidi
https://www.linkedin.com/in/hbaqeri
Research and Development Manager United States 275 Teledyne Technologies Incorporated
Leader Raheleh Keramat
https://www.linkedin.com/pub/raheleh-keramat/99/751/4b
IT Infrastructure Manager Kuwait 46 Petrochemical Industries Co.
Supporter Ben Blamey
https://uk.linkedin.com/pub/ben-blamey/a2/503/a79
Senior Electronics Project Manager United Kingdom 5 General Motors
Supporter Brandon Mobley
https://uk.linkedin.com/pub/brandon-mobley/a2/45b/4b
Senior Electronics Design Engineer United Kingdom 5 General Motors
Supporter Broderick Huff
https://www.linkedin.com/pub/broderick-huff/a1/a50/84
IT Technical and Security Manager United States 5 Teledyne Technologies Incorporated
Supporter Carolyne Mejia
https://uk.linkedin.com/pub/carolyne-mejia/a1/443/17
IT Support Analyst United Kingdom 5 Teledyne Technologies Incorporated
Supporter Edwin Grubbs
https://www.linkedin.com/pub/pamela-mccoy/a1/7b/955
IT Recruitment Consultant United Kingdom 5 Teledyne Technologies Incorporated
Supporter Eric Harvill
https://uk.linkedin.com/pub/eric-harvill/a2/5a5/77b
Electronics Development Engineer United Kingdom 5 General Motors
Supporter Helen Albers
https://uk.linkedin.com/pub/helen-albers/a2/73b/6b7
Electronics Hardware Engineer United Kingdom 5 Teledyne Technologies Incorporated
Supporter Kristen Allen
https://www.linkedin.com/pub/kristen-allen/a1/a55/8b4
IT Solutions Manager United States 5 Teledyne Technologies Incorporated
Supporter Lee Chia
https://www.linkedin.com/pub/lee-chia/a2/506/485
Hardware Design Engineer / Electronics Design Korea 5 Doosan
Supporter *******
https://www.linkedin.com/pub/*******/a2/600/940
Quality Manager United Kingdom 5 *******
Supporter Merle Rogers
https://uk.linkedin.com/pub/merle-rogers/a2/378/30b
IT Service Desk Engineer / Support / Windows / Mac OS / Linux United Kingdom 5 Doosan
Supporter Naomi Brinson
https://www.linkedin.com/pub/naomi-brinson/a2/5b9/23a
Principal Electronics Systems Engineer - DFM, NPI United Kingdom 5 Unilever
Supporter Peggy Gore
https://uk.linkedin.com/pub/peggy-e-gore/a1/b60/a8b
Head of IT Services and Operations United Kingdom 5 Doosan
Supporter Raymond Reale
https://uk.linkedin.com/pub/raymond-reale/a1/497/689
Project and Program Manager Assistant at Teledyne Technologies Incorporated United Kingdom 5 Teledyne Technologies Incorporated
Supporter Ricky Furst
https://www.linkedin.com/pub/ricky-furst/a1/967/84a
IT Manager at Teledyne Technologies Incorporated United States 5 Teledyne Technologies Incorporated
Supporter *******
https://www.linkedin.com/pub*******a67
IT Support Analyst at Teledyne Technologies Incorporated United States 5 Teledyne Technologies Incorporated
Supporter Steve Highsmith
https://uk.linkedin.com/pub/steve-highsmith/a1/b57/4ab
IT Operations Manager at Doosan United Kingdom 5 Doosan

Table 1. Fake LinkedIn personas. Some potentially sensitive information has been redacted.

Endnote

[1] The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team tracks threat groups by assigning them four-digit randomized numbers (2889 in this case), and compiles information from external sources and from first-hand incident response observations.