Iranian Operatives Infiltrate LinkedIn to Steal Information From Key U.S. Personnel

By Published on October 8, 2015

A major security service provider has identified a group of 25 Iranian hackers that have been creating fake LinkedIn profiles in order to get hold of personal information from other users. The hackers, internally called Threat Group-2889, were attempting a large scale social engineering attack, according to a report released Wednesday by The Dell SecureWorks Counter Threat Unit. Social engineering is the non-technical equivalent to hacking an actual person. Social engineers use human interaction to manipulate individuals into revealing confidential or sensitive information.

“To reiterate, this cyber threat group did not hack into LinkedIn, rather they created a network of fake, yet very convincing LinkedIn profile[s],” Elizabeth Clarke, director of media relations at Dell SecureWorks, told the Daily Caller News Foundation in an email. “The threat actors clearly spent a lot of time on this operation also managing to connect with over 200 legitimate employees, who we believe are their targets.”

The profiles were all connected with more than 200 actual profiles of individuals working in sectors such as telecom and defense, primarily based in the Middle East, according to the Wall Street Journal.

Dell SecureWorks categorized the hackers into two main groups: leader personas and supporting personas. Of the 25 personas, eight qualified as leaders. Leader personas have fully developed profiles that “include full educational history, current and previous job descriptions, and, sometimes, vocational qualifications and LinkedIn group memberships.”

The below image was provided to TheDCNF by Dell Secure Works and shows one of the fake profiles.


Some of the leaders claimed to be employed at major international corporations such as Northrop Grumman and Petrochemical Industries Company. Six have professional connections greater than 500.

The supporter personas are less refined. They use the same format with one job description and only have five professional connections.

According to the analysis, the primary function of the supporter personas is to distribute skills endorsements for the leader personas in an effort to bolster credibility.


SecureWorks identified the fraudulent profiles through profile pictures used on other sites and suspicious employment descriptions.  Some of the hackers copied profile information from other legitimate LinkedIn users and Exxon Mobile advertisements.

SecureWorks also believes Threat Group-2889 is the same group, known by other security providers as Operation Cleaver, that perpetrated a malware attack last year.

A spokeswoman for LinkedIn told the Wall Street Journal that the company has removed all of the fake profiles and that LinkedIn remains dedicated to protecting its members from these types of risks.


Copyright 2015 The Daily Caller News Foundation

Print Friendly, PDF & Email

Like the article? Share it with your friends! And use our social media pages to join or start the conversation! Find us on Facebook, Twitter, Instagram, MeWe and Gab.

The Habit of Nearness
Robert J. Morgan
More from The Stream
Connect with Us