The FBI‘s Office of Private Sector (OPS) issued a Liaison Information Report (LIR) which contained an explicit warning to the private sector on the use of social media networks by foreign intelligence services (FIS) to target corporate and U.S. government clearance holders. The LIR was issued by the FBI’s Washington Field Office and specifically notes how FIS use social media platforms to identify, recruit and conduct operations against U.S. government clearance holders. The LIR continues how the FIS will also use these social network “platforms for personal and intelligence gathering/operations purposes.”
This LIR, a long time coming, follows similar warnings issued by France (2018) and the United Kingdom (2015) on foreign intelligence use of LinkedIn for the purposes of spotting, assessing and developing relationships with targets of interest.
We have written extensively on China’s use of LinkedIn as a means to target U.S. government clearance holders. Two specific cases come to mind involving U.S. clearance holders being targeted through online networking:
Ron Rockwell Hansen
Hansen, who pleaded guilty to collaborating with Chinese intelligence, widely used LinkedIn as a means to identify individuals of potential interest to the Chinese for the purposes of intelligence collection. In a word, he was part of the “identify” portion of the human intelligence recruitment process. Hansen, went beyond spotting and assessing potential targets, he was used as a surrogate to attempt to recruit a member of the U.S. intelligence community.
Mallory was approached by a thinly covered Chinese intelligence officer who ostensibly was working on behalf of the Shanghai Academy of Social Sciences via LinkedIn. Mallory went on to be a collaborative asset of Chinese intelligence and he too assisted the Chinese in identifying individuals with access to U.S. sensitive national security information.
OPSEC is important
The LIR advises personnel to be vigilant and “adhere to strict operational security protocols in their physical and online presence.” The LIR then points recipients to the FBI’s counterintelligence page, FBI’s Domestic Security Alliance page and to Infragard as resources to help address insider threat.
While not naming the case, the LIR describes Mallory and his 500-plus network of LinkedIn contacts. The FBI also highlights how Mallory (and many others) indicate in their publicly available profile that they are holders of a U.S. government security clearance.
The confirmed use of both Mallory and Hansen and their breadth of contacts served to break the stereotype of foreign intelligence use of social networks. While the two had direct contact with Chinese intelligence, both enabled the Chinese to step back from the initial engagement and thus lowering the profile of the intelligence approach. After all, there is no foreign national contact and thus the requirement for U.S. government cleared personnel to report contact with either Mallory or Hansen, both U.S. citizens, disguised the Chinese hand.
Similarly, the LIR notes the use of social engineering by FIS officers via the use of fictitious personas, ostensibly with U.S. military or intelligence backgrounds have been noted and successfully used to establish online relationships from which they can elicit both intelligence and information on colleagues and acquaintances with access to information of interest.
Social Media + Tradeshows = FIS goldmine
Lastly, the LIR touches on something seemingly out of date, but still very effectively used by FIS: the trade show. The FIS will do their homework and scrape social networks for information upon which to set their bait to hook the target. The intent is to induce the targeted individual into a sustained level of engagement. This use of both the virtual information resource and the physical engagement provides the FIS the best of both worlds. FIS will assess a potential target face-to-face for suitability and vulnerability, use target-provided data via social networks prior to engagement, andthen use those same social networks as a means to sustain engagement.
FSO’s should share the FBI’s LIR with their cleared personnel and incorporate the aforementioned advisories into their counterintelligence and insider threat briefings, with an emphasis on the potential for U.S. citizens to be surrogates for foreign intelligence services.