It is no secret that nation states hostile to the United States are targeting individuals with access to secrets. Secrets may take the form of an intelligence product or infrastructure which protects that product. Criminals, used as proxies by nation states or on their own initiative are also interested in precisely the same information. Those charged with protecting the nation’s secrets need not make the distinction between a nation state or criminal activity, they must be aware that past, current, or future employees are being targeted.
Targets: Recruiters and Candidates
In a recent report issued by Trellix’s Advanced Research Center it is evident that not only are job seekers being targeted, recruiters associated with entities of interest to the bad actor are also being targeted.
The bad actor is coming at the equation from all sides. The methods include “deceptive job availability emails” which target candidates, while simultaneously targeting recruiters with “malicious emails disguised as job applications.” By coming at the hiring pipelines from both directions on sites like LinkedIn that offer easy, unchecked access, the adversary stands a better chance to compromise the infrastructure and to have sufficiently compromised individuals to give themselves an opportunity to harvest information of interest and/or infrastructure information to allow long term residency.
Indicators of compromise
Trellix has compiled and provided an “indicators of compromise” (7-page pdf) list which contains a plethora of information which will help organizations identify if their personnel are being targeted. These include file names, file types and subject lines.
Among those identified as promulgating these efforts is a group known as TA4577, which was first brought to the attention of cyber teams in October 2023. At that time, they were focusing on publicly available “job listing boards.” As discussed above, they seem to have found that their efforts were far more successful targeting recruiters whose success metric is filling a given position requirement, by sending the target “benign-looking emails, expressing interest in an open position.” Then when the recruiter responded, they would begin the grooming for the target to open a document or go to a link which carried a targeted piece of malware.
Educate the workforce
Human Resource departments, hiring managers, and security personnel (including FSOs) should familiarize themselves with the exemplars of the emails being used as provided by Trellix. Furthermore, the counterintelligence and cyber hygiene briefings to employees should make attendees aware of the art of “credential phishing” where the bad actor attempts to trick the target to click on a log-in page that the malevolent party controls.
The prevalence of malicious actors targeting the national security job search process further emphasizes the importance of being safe and cautious during all aspects of the recruiting and hiring experience. While cleared candidates are often advised on the importance of safely interacting with only trusted employers, the Trellix report emphasizes that recruiters should be equally vigilant and aware before engaging with unknown or unvetted candidates.
“The escalation of these tactics and the significant impact to an employer’s bottom line really emphasize why a trusted and protected platform like ClearanceJobs exists,” said Evan Lesser, Founder and President of ClearanceJobs. “A cleared recruiter on a public platform does become a target and needs to be incredibly careful in how they communicate with others. It’s one of the reasons why we really emphasize the communication within ClearanceJobs where users have rich details and historical activity on others. It’s just one more layer of trust in the process, and important for both recruiters and candidates.”
The methodologies used by the adversaries will continue to evolve, we must evolve as well in order to get out ahead proactively and prepared to act reactively as required.
