**secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles** **Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence** **Date: 07 October 2015** ## Summary While tracking a suspected Iran-based threat group known as Threat Group-2889 [1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a selfreferenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. ## Fake LinkedIn accounts The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity. #### Leader personas Profiles for Leader personas include full educational history, current and previous job descriptions, and, sometimes, vocational qualifications and LinkedIn group memberships. Of the eight Leader personas identified by CTU researchers, six have more than 500 connections (see Figure 1). ----- _Figure 1. Example Leader LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)_ The results of open-source research conducted by CTU researchers provided compelling evidence that the Leader profiles were fraudulent: One of the profile photographs is linked to multiple identities across numerous websites, including adult sites. The summary section in one profile is identical to the summary in a legitimate LinkedIn profile, and the employment history matches a sample résumé downloaded from a recruitment website. In another profile, a job description was copied from genuine Teledyne and ExxonMobil job advertisements. The job description in yet another profile (see Figure 2) was copied from a legitimate job posting from a Malaysian bank (see Figure 3). ----- _Figure 2. Job description from Leader persona profile. (Source: Dell SecureWorks)_ _Figure 3. Malaysian bank job posting matching a job description associated with a fake Leader LinkedIn profile. (Source: Dell_ _SecureWorks)_ Five of the Leader personas purport to work for Teledyne, an American industrial conglomerate. In addition, one claims to work for Doosan (an industrial conglomerate based in South Korea), one for Northrop Grumman (a U.S. aerospace and defense company), and one for Petrochemical Industries Co., (a Kuwaiti petrochemical manufacturing company). #### Supporter personas Profiles for Supporter personas are far less developed than for Leader personas. They all use the same basic template with one simple job description, and they all have five connections (see Figure 4). Profile photographs for three of the Supporter personas appear elsewhere on the Internet, where they are associated with different, seemingly legitimate, identities. As with the Leader profiles, open-source research indicates that the Supporter profiles are also fake. ----- _Figure 4. Example Supporter LinkedIn profile created by TG-2889. (Source: Dell SecureWorks)_ #### Building credibility via endorsements The purpose of the Supporter personas appears to be to provide LinkedIn skills endorsements for Leader personas, likely to add legitimacy to the Leader personas. As shown in Figure 5, most of the Supporter accounts identified by CTU researchers have endorsed skills listed on the profiles of the Leader personas. Although unable to view Leader personas' LinkedIn connections, CTU researchers suspect the threat actors use the Supporter accounts to provide the Leader profiles with an established network, which also enhances credibility. ----- _Figure 5. TG-2889 uses Supporter accounts (gray) to endorse the skills of Leader personas (green). (Source: Dell_ _SecureWorks)_ #### Novel technique Although CTU researchers identified eight Leader profiles, two appear to be duplicates that have different identities associated with the same account. While CTU researchers were analyzing the profiles, the threat actors altered two of the Leader LinkedIn accounts. The original profile name and photograph were replaced with a new identity, and the current job was updated: in one case replacing Teledyne with Northrup Grumman (see Figure 6) and in the second replacing Teledyne with Airbus Group. _Figure 6. LinkedIn screenshots showing replacement of original Pamela McCoy persona with Christine Russell. The_ _alphanumerical LinkedIn ID, a1/7b/955, remains the same. (Source: Dell SecureWorks)_ Changing personas associated with existing profiles was a clever exploitation of LinkedIn functionality because the new identities inherit the network and endorsements from the previous identity. These attributes immediately make the new personas appear established and credible, and the transition may prevent the original personas from being overexposed. ## Targeting LinkedIn users Creating a network of seemingly genuine and established LinkedIn personas helps TG-2889 identify and research potential victims. The threat actors can establish a relationship with targets by contacting them directly, or by contacting one of the target's connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target's ----- 2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful. #### Targets Seemingly legitimate LinkedIn users have also endorsed Leader personas. Endorsements are granted by connections, indicating that these legitimate users are part of the Leader personas' networks. Therefore, they are likely TG-2889 targets. Examination of the profiles associated with the endorsements revealed 204 potential TG-2889 targets. As shown in Figure 7, most are based in the Middle East. _Figure 7. Legitimate endorsers of fake TG-2889 LinkedIn accounts by country. (Source: Dell SecureWorks)_ A quarter of the targets work in the telecommunications vertical; Middle Eastern and North African mobile telephony suppliers feature heavily. A focus on these types of targets may indicate that TG-2889 is interested in acquiring data held by these organizations or gaining access to the services they operate. A significant minority of identified targets work for Middle Eastern governments and for defense organizations based in the Middle East and South Asia. ## Attribution Based on strong circumstantial evidence, CTU researchers assess that TG-2889 is linked to the activity that Cylance [described in its December 2014 Operation CLEAVER report. The report documented threat actors using malware disguised](http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf) as a résumé application that appeared to allow résumés to be submitted to the industrial conglomerate Teledyne. Cylance reported the use of the following domains, which reference companies associated with many of the fake LinkedIn profiles identified by CTU researchers: Teledyne-Jobs.com Doosan-Job.com NorthropGrumman.net Cylance attributed the Operation CLEAVER activity to a threat group operating at least in part out of Iran. CTU researchers have not uncovered any intelligence that contradicts this assessment. Furthermore, the strong focus suggested by the endorsement analysis on targets from Arab states in the Middle East and North Africa (MENA) region is in line with the expected targeting behavior of a threat group operating out of Iran. ----- Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks: Avoid contact with known fake personas. Only connect to personas belonging to individuals they know and trust. Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not verified outside of LinkedIn. When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites. If an organization discovers that a LinkedIn persona is fraudulently claiming an association with the company, it should contact LinkedIn. Creating false identities and misrepresenting an association with an organization is a breach of LinkedIn's terms and conditions. ## Appendix — Fake LinkedIn personas created by TG-2889 Table 1 lists details associated with Leader and Supporter personas created by TG-2889. The pairs shaded in dark gray are different identities associated with the same LinkedIn account. The only difference in the profile links of the shared accounts is the persona name. Type Name and profile link Role Country Connections Company Leader Jon Sam Park https://www.linkedin.com/pub/jong-sampark/a0/a46/3 Leader Pamela McCoy https://www.linkedin.com/pub/pamelamccoy/a1/7b/955 Leader Christine Russell https://www.linkedin.com/pub/christinerussell/a1/7b/955 Leader Timothy Stokes https://www.linkedin.com/pub/timothystokes/a0/a75/b46 Leader Matilda Aronson https://kr.linkedin.com/pub/matildaaronson/a1/4a5/227 Leader Petra Hedegaard https://kr.linkedin.com/pub/petrahedegaard/a1/4a5/227 Network Administrator Recruitment Consultant International Recruitment Consultant Recruitment Consultant Recruitment Consultant Recruitment Consultant Korea 500 Doosan United States United States United States 500 Teledyne Technologies Incorporated 500 Northrop Grumman 500 Teledyne Technologies Incorporated Korea 500 Teledyne Technologies Incorporated Korea 500 Airbus Group ----- https://www.linkedin.com/in/hbaqeri and Development Manager Leader Raheleh Keramat https://www.linkedin.com/pub/rahelehkeramat/99/751/4b Supporter Ben Blamey https://uk.linkedin.com/pub/benblamey/a2/503/a79 Supporter Brandon Mobley https://uk.linkedin.com/pub/brandonmobley/a2/45b/4b Supporter Broderick Huff https://www.linkedin.com/pub/broderickhuff/a1/a50/84 Supporter Carolyne Mejia https://uk.linkedin.com/pub/carolynemejia/a1/443/17 Supporter Edwin Grubbs https://www.linkedin.com/pub/pamelamccoy/a1/7b/955 Supporter Eric Harvill https://uk.linkedin.com/pub/ericharvill/a2/5a5/77b Supporter Helen Albers https://uk.linkedin.com/pub/helenalbers/a2/73b/6b7 Supporter Kristen Allen https://www.linkedin.com/pub/kristenallen/a1/a55/8b4 Supporter Lee Chia https://www.linkedin.com/pub/leechia/a2/506/485 Supporter ******* https://www.linkedin.com/pub/*******/a2/600/940 Supporter Merle Rogers https://uk.linkedin.com/pub/merlerogers/a2/378/30b IT Infrastructure Manager Senior Electronics Project Manager Senior Electronics Design Engineer IT Technical and Security Manager IT Support Analyst IT Recruitment Consultant Electronics Development Engineer Electronics Hardware Engineer IT Solutions Manager Hardware Design Engineer / Electronics Design Quality Manager IT Service Desk Engineer / Support / Windows / Mac OS / Li States Technologies Incorporated Kuwait 46 Petrochemical Industries Co. United Kingdom United Kingdom United States United Kingdom United Kingdom United Kingdom United Kingdom United States 5 General Motors 5 General Motors 5 Teledyne Technologies Incorporated 5 Teledyne Technologies Incorporated 5 Teledyne Technologies Incorporated 5 General Motors 5 Teledyne Technologies Incorporated 5 Teledyne Technologies Incorporated Korea 5 Doosan United Kingdom United Kingdom 5 ******* 5 Doosan ----- https://www.linkedin.com/pub/naomibrinson/a2/5b9/23a Supporter Peggy Gore https://uk.linkedin.com/pub/peggy-egore/a1/b60/a8b Supporter Raymond Reale https://uk.linkedin.com/pub/raymondreale/a1/497/689 Supporter Ricky Furst https://www.linkedin.com/pub/rickyfurst/a1/967/84a Supporter ******* https://www.linkedin.com/pub*******a67 Supporter Steve Highsmith https://uk.linkedin.com/pub/stevehighsmith/a1/b57/4ab Electronics Systems Engineer DFM, NPI Head of IT Services and Operations Project and Program Manager Assistant at Teledyne Technologies Incorporated IT Manager at Teledyne Technologies Incorporated IT Support Analyst at Teledyne Technologies Incorporated IT Operations Manager at Doosan Kingdom United Kingdom United Kingdom United States United States United Kingdom 5 Doosan 5 Teledyne Technologies Incorporated 5 Teledyne Technologies Incorporated 5 Teledyne Technologies Incorporated 5 Doosan _Table 1. Fake LinkedIn personas. Some potentially sensitive information has been redacted._ ## Endnote [1] The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team tracks threat groups by assigning them four-digit randomized numbers (2889 in this case), and compiles information from external sources and from first-hand incident response observations. -----