An Iranian hacking group ran a fake professional recruiting business to lure national security officials across Iran, Syria and Lebanon into a cyber espionage trap, according to new research by U.S. cybersecurity firm Mandiant, a division of Alphabet's Google Cloud.
The hackers cast a wide net by using various social media platforms to disseminate links about their fake HR scheme © Mena Today
An Iranian hacking group ran a fake professional recruiting business to lure national security officials across Iran, Syria and Lebanon into a cyber espionage trap, according to new research by U.S. cybersecurity firm Mandiant, a division of Alphabet's Google Cloud.
Researchers said the hackers are loosely connected to a group known as APT42 or Charming Kitten, which was recently accused of hacking the U.S. presidential campaign of Republican candidate Donald Trump. APT42 is widely attributed to an intelligence division of the Iranian Revolutionary Guard, an expansive military organization based in Tehran. The FBI has said it is investigating APT42’s ongoing efforts to interfere in the 2024 U.S. election.
The mission uncovered by Mandiant dates back to at least 2017 and was active until recently. At different times, the Iranians made their operation appear as if it was controlled by Israelis. Analysts say the likely purpose of the impersonation was to identify individuals in the Middle East who were willing to sell secrets to Israel and other Western governments. It targeted military and intelligence staff associated with Iran’s allies in the region.
“The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries,” the Mandiant report said. “The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations.”
Iran's mission to the United Nations did not immediately respond to a request for comment.
Mandiant found that the digital spies used a network of websites impersonating human resources companies to manipulate Farsi-speaking targets. The bogus firms were named VIP Human Solutions, also known as VIP Recruitment, Optima HR and Kandovan HR, among others. They leveraged dozens of inauthentic online profiles on Telegram, Twitter, YouTube and social media platform Virasty, which is popular in Iran, to promote the front companies. Nearly all the associated internet accounts have since been removed.
“VIP Recruitment, a center for recruiting respected military personnel into the army, security services and intelligence from Syria and Hezbollah, Lebanon,” said a statement on one of the websites. “Join us to help each other impact the world. Our duty is to protect your privacy.”
The hackers cast a wide net by using various social media platforms to disseminate links about their fake HR scheme. It is unclear how many targets ultimately fell for the ruse. The collected data, which included addresses, contact details and other resume-related data, could still be exploited in the future, Mandiant said.
By Christopher Bing
No ships have made it past a U.S. naval blockade of Iran's ports and coastal areas, and six merchant ships have followed orders to turn back, the U.S. military said on Tuesday, providing the first details on a day-old effort ordered by President Donald Trump after peace talks between the U.S. and Iran broke down.
U.S. Secretary of State Marco Rubio hosted the first direct talks between Israel and Lebanon in decades on Tuesday and both sides said they held positive discussions although it was not immediately clear if they agreed to a framework for peace.
Israeli Foreign Minister Gideon Saar has signaled his country's desire for full normalization with Lebanon, just ahead of a key round of peace talks scheduled in Washington.
To make this website run properly and to improve your experience, we use cookies. For more detailed information, please check our Cookie Policy.
Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.