Woven through a Department of Justice indictment against former defense contractor and spy-for-China Ron Rockwell Hansen was the nugget that his dossier for Chinese officials included print-outs of colleagues’ LinkedIn pages. Hansen used his U.S. government and intelligence community background to build his roster of LinkedIn connections. The indictment doesn’t make clear how he used those connections in his relationship with Chinese intelligence, but it is clear LinkedIn played a part of his strategy of capitalizing on his personal network – and builds upon the robust use of LinkedIn already in action by Chinese intelligence.
It calls out a strategy that becomes even more dangerous with knowing actors like Hansen. You receive a connection request from a ‘recruiter’ in the national security space. Maybe they work for a major fortune 500 defense contractor, or list prior military experience in their profile. Most users look at the ‘shared connections’ before they accept. We already know that’s not a solid strategy in a world where many people boast to accepting every LinkedIn request they receive. But even in the more cautious defense and intelligence community, the Hansen case displays how even a contact you know may be leveraging LinkedIn for nefarious purposes.
LinkedIn’s Role in Espionage Cases Nothing New
Officials from the Defense Security Service have urged clearance holders to be cautious on social networking sites for years. In 2017, a DSS official noted “Right now, LinkedIn is the number one way we see industry being targeted.” In August, Director of the National Counterintelligence and Security Service William Evanina said LinkedIn was “a victim” of China’s aggressive attempts to target the U.S. national security community.
But the U.S. isn’t the only target. In October of 2018 French intelligence officials warned of LinkedIn schemes targeting French businesses and government agencies. Over 4,000 individuals were targeted and hundreds were duped into fake interviews and consulting contracts with Chinese intelligence officials. Targets shared both intellectual property and classified information with contacts they’d met via LinkedIn.
In December of 2017, Germany announced the results of a nine-month study where they discovered more than 10,000 connection attempts on LinkedIn via fake accounts operated by Chinese intelligence. The connections posted as recruiters and the heads of consulting firms or think tanks, and reached out to a variety of targets across government (as the Hansen case shows, sometimes the benefit is reached around your network, to create a cushion of shared contacts before they reach the primary target).
Scroll through the most recent espionage cases and there is a common thread in all of them – LinkedIn.
In 2017 a GE aviation engineer was targeted by Yanjun Xu, aka Qu Hui, aka Zhang Hui, a senior officer, Deputy Division Director, within the MSS’s Jiangsu State Security Department. The Chinese spy was extradited to the U.S. in early October, but his attempts to infiltrate GE began with a LinkedIn request.
In 2018 Kevin Patrick Mallory’s relationship with Chinese intelligence also began with a LinkedIn request. Mallory was approached by Richard Yang, a recruiter for the Shanghai Academy of Social Sciences. Mallory was something of a hyper connector on LinkedIn, and may have used his private business and aspirations as an intelligence consultant to bring in new connections across the intelligence community. As we’ve already learned, that web can then be used to enhance and expand the intelligence collection of Chinese intelligence.
What Can Be Done?
Sites such as LinkedIn have become quite adept at spotting bot accounts. The issue is they’ve not yet found a way to vet the kinds of espionage cases we see here. That why over the past five years, the use of LinkedIn by China, Iran, and Russian intelligence has only grown – not decreased.
In the case of Russia, one former CIA intelligence official argues the site has been weaponized – and that LinkedIn has become a knowing pawn in the use of the site to not just target, but to sabotage the reputations and networks of those it chooses to target. In January of this year, Charles Leven, a former CIA executive, was kicked off of LinkedIn because of the active measures of Russian intelligence in manipulating perception, and using its own accounts to target, attack and report Leven.
“In the world of counterintelligence operations, the Russian’s are either trying to recruit you or they are trying to neutralize you,” noted Christopher Burgess, CIA veteran and ClearanceJobs contributor who wrote about the Leven case in January of this year.
When it comes to recruitment, intelligence entities have found no richer vehicle than LinkedIn. And you can be assured if you have a federal security clearance or show any government or defense contracting work history in your profile – you’re the target.