How spies used LinkedIn to hack European defense companies

Written by

For LinkedIn users, receiving unsolicited messages from pushy job recruiters comes with the territory. It’s an annoyance for some, a welcome path toward a new gig for others.

What the experience isn’t supposed to entail is the theft of sensitive data from the defense company that employs you.

That’s what happened to employees at two European aerospace and defense firms from September to December 2019, according to research published Wednesday. The culprit was an as-yet-unidentified advanced persistent threat (APT) group — hackers that are usually associated with governments. Their methods were relentless, even clumsy at times.

The operatives “targeted a large array of employees at both organizations, across different divisions, relentlessly trying to get a foothold in their target’s network,” said Jean-Ian Boutin, head of threat research at ESET, the anti-virus firm that exposed the hacking campaign.

At the end of the operation, the hackers tried to bilk one of the European companies out of money a client owed them — an example of how APT groups occasionally dabble in personal enrichment schemes.

ESET researchers are still trying to determine who was responsible for the hacking. Tentative but unconfirmed clues in the data point to Lazarus Group, a broad set of hackers linked with the North Korean government. Regardless of who is behind it, the operation offers a cautionary tale in how social engineering can be used for espionage.

You are an ‘elite’

ESET’s findings show that, despite LinkedIn’s efforts to clamp down on imposters, the platform is still fertile ground for espionage.

U.S. officials have repeatedly accused Chinese spies, for example, of using the platform to recruit U.S. assets. Kevin Mallory, a former CIA clandestine officer, was convicted on espionage charges in 2018 after passing Chinese intelligence classified information. It all began when a Chinese headhunter contacted Mallory on LinkedIn in 2017 and introduced him to someone who worked at a Chinese think tank.

Other governments have exploited LinkedIn. North Korean hackers used LinkedIn for reconnaissance prior to their $81 million heist of the Bank of Bangladesh in 2016, according to an FBI affidavit.

This espionage uncovered by ESET began with flattery. LinkedIn users posing as recruiters from Collins Aerospace, a subsidiary of Raytheon, and General Dynamics sent obsequious messages to employees at the European defense and aerospace firms. The fake recruiters told the targets they are “elites” who had a spot waiting for them at their purported companies.

In at least one case, the scheme moved to email, where the hackers were more comfortable sending malicious files than conversing in broken English. They sent the targets documents that purported to contain more information about the job opportunities but were really an elaborate ruse for breaking into computers.

“[T]he attackers were pretty aggressive and persuasive in pushing their targets to open malicious documents they sent,” Boutin, the ESET researcher, said. “In some cases, the target was having technical difficulty opening them and the attackers were really trying hard to debug the problem.”

With that access, the hackers went further into the corporate networks. They “brute-forced” — or threw a series of passwords until one worked —a directory of employees to get a list of administrative accounts and stole passwords from those accounts.

Boutin’s team isn’t sure what exact files the hackers were able to steal, but based on the people targeted, they believe it was sensitive “technical and business-related information” held by the European companies. The hackers attempted to cover their tracks, deleting their LinkedIn profiles and the stolen files from compromised computers. They smuggled the files into a Dropbox folder they controlled.

In a statement, Paul Rockwell, head of trust and safety at LinkedIn, said the company has a process in place to defend its platform from spies.

“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members,” Rockwell said. “We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.”

Some of the malicious code that the spies used bore similarities to tools used by the Lazarus hackers. That includes a ‘backdoor’ known as NukeSped that North Korean computer operatives have used on Korean-speaking MacOS users. But that’s not enough for the researchers to point the finger at Pyongyang.

What is clear is that the perpetrators used corporate rivalries against the victims to increase the operation’s odds of success.

“Most people are unlikely to report to their current employer suspicious activities tied to a job offer they received, and were curious about, from a competitor,” Boutin said.

UPDATE10:39 a.m. EDT: This story has been updated with a statement from LinkedIn.

-In this Story-

advanced persistent threat (APT), aerospace, business email compromise, defense contractors, economic espionage, ESET, espionage, Europe, Lazarus Group, LinkedIn, North Korea