The fake personas fell into two groups: one set that were fully developed profiles posing as recruiters for major worldwide government contractors and international corporations, and another set that were less developed and designed to lend legitimacy to the primary accounts through endorsements and connections.
from computer company Dell's Secure Works unit identified the group behind the profiles as "TG 2889," and researchers said there was strong circumstantial evidence pointing to the group operating out of Iran. The hackers employed a number of companies matched to computer domains used in attacks that had previously been attributed to cyberattackers from Iran, and the spread of targets in the Middle East, Arab states, North Africa and the U.S. would be consistent with an Iranian source.
Researchers said the cyberspies were posing mainly as recruiters from major international companies including Northrop Grumman, General Motors, Teledyne Technologies, Doosan and Airbus.
The crew seemed to be having success -- more than 200 legitimate LinkedIn users had connected with the 25 fake accounts that researchers analyzed. The majority of the targets were from Saudi Arabia, Qatar, United Arab Emirates and Pakistan, but 12 were from the U.S.
Many of the targets worked in the telecom sector, government and defense.
The fake profiles allow hackers to spy by helping them engage in "social engineering" -- researching targets based on information on the Internet and social media to build a tailored phishing attack. Once the cyberspies establish a connection with the targets, they can send them malicious software hidden in links and attachments to emails that can compromise their computer, giving the hackers access to highly sensitive information.
The previously described Iranian group, for example, used malicious software hidden in what looked like a resume application to go after its targets.
Iran is considered one of the top concerns for the U.S. in cyberspace along with China, Russia and North Korea. Despite successful talks to reach a nuclear deal with Iran, cyberattacks have remained a concern -- with Director of National Intelligence James Clapper revealing this year that Iran had hacked a major Las Vegas casino.
Dell researchers recommended LinkedIn users only engage with profiles they know to be authentic and suggested companies do a better job of ensuring that profiles of individuals claiming to work for them are real.