Iran operated fake human-resources firm to root out unfriendly spies, researchers say

An Iranian hacking group ran a fake professional recruiting business to lure national security officials across Iran, Syria and Lebanon into a cyber espionage trap, according to new research by U.S. cybersecurity firm Mandiant, a division of Alphabet's Google Cloud. 

Researchers said the hackers are loosely connected to a group known as APT42 or Charming Kitten, which was recently accused of hacking the U.S. presidential campaign of Republican candidate Donald Trump. APT42 is widely attributed to an intelligence division of the Iranian Revolutionary Guard, an expansive military organization based in Tehran. The FBI has said it is investigating APT42’s ongoing efforts to interfere in the 2024 U.S. election. 

The mission uncovered by Mandiant dates back to at least 2017 and was active until recently. At different times, the Iranians made their operation appear as if it was controlled by Israelis. Analysts say the likely purpose of the impersonation was to identify individuals in the Middle East who were willing to sell secrets to Israel and other Western governments. It targeted military and intelligence staff associated with Iran’s allies in the region. 

“The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries,” the Mandiant report said. “The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations.”

Iran's mission to the United Nations did not immediately respond to a request for comment. 

Mandiant found that the digital spies used a network of websites impersonating human resources  companies to manipulate Farsi-speaking targets. The bogus firms were named VIP Human Solutions, also known as VIP Recruitment, Optima HR and Kandovan HR, among others. They leveraged dozens of inauthentic online profiles on Telegram, Twitter, YouTube and social media platform Virasty, which is popular in Iran, to promote the front companies. Nearly all the associated internet accounts have since been removed. 

“VIP Recruitment, a center for recruiting respected military personnel into the army, security services and intelligence from Syria and Hezbollah, Lebanon,” said a statement on one of the websites. “Join us to help each other impact the world. Our duty is to protect your privacy.” 

The hackers cast a wide net by using various social media platforms to disseminate links about their fake HR scheme. It is unclear how many targets ultimately fell for the ruse. The collected data, which included addresses, contact details and other resume-related data, could still be exploited in the future, Mandiant said.