'Wanted: enemy agents' | Iranians root out spies using recruitment company ruse

Iranians root out spies using recruitment company ruse

A sophisticated Iranian espionage operation, masquerading as a professional recruiting business, has been uncovered by US cybersecurity firm Mandiant, a division of Google Cloud.

The operation, which dates back to at least 2017, targeted national security officials across Iran, Syria, and Lebanon, raising significant concerns about the vulnerabilities in recruitment processes.

According to Mandiant's research, the hackers behind the operation are loosely connected to a group known as APT42 or Charming Kitten, which has previously been accused of hacking the US presidential campaign of Republican candidate Donald Trump and is widely attributed to an intelligence division of the Iranian Revolutionary Guard.

The cyber espionage mission utilized a network of websites impersonating HR companies to manipulate Farsi-speaking targets. The bogus firms operated under names such as VIP Human Solutions (also known as VIP Recruitment), Optima HR, and Kandovan HR.

Hackers leveraged dozens of inauthentic online profiles across various social media platforms, including Telegram, Twitter, YouTube, and Virasty, a platform popular in Iran, to promote the front companies.

One of the fake websites brazenly stated: ”VIP Recruitment, a center for recruiting respected military personnel into the army, security services and intelligence from Syria and Hezbollah, Lebanon. Join us to help each other impact the world. Our duty is to protect your privacy."

The operation's likely purpose, according to Mandiant, was to identify individuals in the Middle East who were willing to sell secrets to Israel and other Western governments.

It specifically targeted military and intelligence staff associated with Iran's allies in the region. The collected data, which included addresses, contact details, and other resume-related information, could potentially be exploited to uncover intelligence operations conducted against Iran and target individuals suspected of involvement in such operations.

At different times, the Iranian hackers made their operation appear as if it was controlled by Israelis, possibly to increase its appeal to certain targets

The FBI has stated that it is investigating APT42's ongoing efforts to interfere in the 2024 US election, underlining the group's continued activities and the broader implications of such operations.

While the exact number of individuals who fell for the ruse remains unclear, the potential for future exploitation of the collected data remains a significant concern. The discovery highlights the critical need for enhanced cybersecurity measures in recruitment processes, especially for positions related to national security.

As of the report's publication, nearly all the associated internet accounts used in the operation have been removed.

You are currently previewing this article.

This is the last preview available to you for the next 30 days.

To access more news, features, columns and opinions every day, create a free myGrapevine account.