Skip to content

Nation State Recruiting via Fraudulent LinkedIn Profiles

Health-ISAC members report the increased frequency of LinkedIn being leveraged as a social engineering attack vector by nation-state adversaries. Attacks are becoming more sophisticated, escalating from basic phishing emails to whaling via LinkedIn. Nation-state threat actors are developing convincing LinkedIn profiles shortly before launching their attack campaigns.  These profiles appear as legitimate LinkedIn users complete with endorsements and hundreds of connections. Executives, VPs, and Research and Development (R&D) teams have been targeted, including those working on COVID-19 vaccine and therapy programs.  

The threat actors adopt the use of fluent business terminology, sector knowledge, personal references and spoofed profiles to make whaling attacks difficult for even a cautious eye to identify.  The adversary uses highly targeted content combined with several other methods which executives, VPs, and R&D teams should be aware of to reduce their chances of falling victim to a whaling attack. Recent whaling attacks have used  on suppliers or partners to construct whaling communications which appear credible.  

Analysis: 

Fake Job Offers:  The nation state attacks outlined in this bulletin are unique in that they first make use of LinkedIn as an attack vector as opposed to the most observed tactic of email phishing. The adversary delivers well-crafted job offer letters to unsuspecting but targeted recipients who are made to believe the offer originates from an authorized colleague based on the well-developed fraudulent LinkedIn profile delivering the offer letter.  

Other: 

In addition to LinkedIn, the adversary is utilizing WhatsApp and Skype as additional methods to communicate with their victims. Once initial communication is established, the adversary either sends directly or provides a link to a Microsoft Word document which contains malicious macros. The adversary can also request personally identifiable information (PII), later using the PII in identity fraud attacks and further social engineering schemes. The adversary is additionally using critical language and themes to invoke urgency, creating a rapid, unsecure process to transmit PII and open malicious documents.

Last Published: Apr 12, 2021