Post-Stuxnet hack group builds formidable LinkedIn phish network

Iran-based 'Cleaver' team hacking its way through networks, airport security


An accomplished Iran-based attack group known as "Cleaver" has created a network of at least 25 well-developed LinkedIn profiles to assist a social engineering campaign hitting targets across the Middle East.

The group is alleged to have formed in the wake of the Stuxnet attacks against Tehran's Natanz Uranium enrichment plant.

A report by security outfit Cylance found Cleaver obtained a "shocking amount" of access within the "deepest" sections of victim networks at big ticket defence, telco, and utility sectors.

In one case it gained access to security gates at airports in what was said to have potentially allowed attackers to traffic passengers.

White hat researchers tie the group to Iran based on the local IT infrastructure it uses in its attacks.

The latest findings reveal Cleaver has developed a LinkedIn social engineering network which consists of six so-called leader profiles that sport more than 500 profile connections.

Dell's CounterThreat Unit says the fake profiles claim individuals are employees at companies including defence contractor Northrop Grumman, US tech firm TeleDyne, Malaysia's RHB Bank, and South Korean holding firm Doosan.

There is no suggestion of involvement in the scheme by any named individual or organisation.

Support profiles have been established that serve as connection fodder for leaders.

They say the attack group also labelled TG-2889 probably pops victims with spear phishing or compromised websites.

The LinkedIn leader network would "significantly increase" the likelihood of the attacks paying off.

"The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas," Dell investigators say.

"Five of the leader personas claim to be recruitment consultants, which would provide a pretext for contacting targets."

Most victims, determined by their proffered endorsements for leaders, are based Saudi Arabia, Qatar, and the United Arab Emirates. American and British victims play a much smaller role.

A quarter of targets work in the telecommunications sector, notably in the Middle East and North Africa. Others work in Middle Eastern governments and defense organisations. ®


Biting the hand that feeds IT © 1998–2021