If you use LinkedIn and are opening attachments associated with your contacts you might want to rethink your actions.

Cybersecurity company FireEye’s researchers have uncovered yet another instance of LinkedIn being used as a platform to reach out and touch individuals of interest by a nation state. In this instance, the nation state is Iran, the weapon is APT34 (Advanced Persistent Threat 34), the target is “decision makers and key organizations that may have information that furthers Iran’s economic and national security goals.”

How Iran is Reaching out via LinkedIn

What Iran is not doing is reaching out to targets of interest via accounts easily discernible as having an Iranian nexus. Rather, they are using the widely used technique of fake personas.

This time around, the Iranian’s chose to be associated with Cambridge University as the “employer” and they created the persona of Rebecca Watts, a member of the “Research Staff at University of Cambridge,” whose LinkedIn profile intimated that she was a 30-something fun-loving. And “her” methodology was to share with those who were being targeted a document or excel spreadsheet which had APT-34 malware embedded within.

She was seeking researchers and once there was an expression of interest, then she sent them a document and form to fill out. And with that, the Iranian’s waited for the target to click the link. See this example which FireEye captured in the image below.

APT34 – Used by Iran before

The APT34 raised its ugly head back in 2015 when FireEye unveiled to the world how the Iranians were using the malware to burrow into the infrastructure within the Middle East. Iran’s operational engagement, using a tool which served them well in the past, but against a different target set may have violated the maxim of the intelligence arena of use your tools once and only once, it worked for them. Perhaps the exception to the rule.

The Iranians targeted government, energy and utilities, and oil and gas in this iteration.

Who else uses LinkedIn as a targeting platform?

Is this a rhetorical question? Yes. All intelligence entities use and harvest LinkedIn data.

The ability to hunt within a forest full of lucrative targets who are assisting you, the targeting officer, by providing first-person descriptions of their activities, is simply too ripe a piece of fruit not to pluck. We’ve documented how Russia has weaponized LinkedIn and how China has used LinkedIn in their intelligence operations. We’ve shared admonishments from the United States, Germany and the United Kingdom on the need to show discretion.

For all of the above reasons, the advice remains the same. FSO’s need to emphasize to their cleared personnel not to overshare – TMI (too much information) on social networks is inviting targeting by foreign intelligence. To connect to individuals they know and not accept as positive confirmation a user’s connection to that request to engage – you don’t know the level of discretion being used by your connection in building their network.

And despite the myriad of advice columns on how to avoid being a target, you don’t get to choose if you are a target, the hostile intelligence organization has that action. Your responsibility is to know how to react when you are approached, whether via a false persona, false flag or false premise.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).