U.S. cybersecurity firm FireEye has warned of a malicious phishing campaign that it has attributed to the Iranian-linked APT34—whose activity has been reported elsewhere as OilRig and Greenbug. The campaign has been targeting LinkedIn users with plausible but bogus invitations to join a professional network and emailed attachments laced with malware that seeks to infect systems with a hidden backdoor and steal data and credentials.
According to a FireEye blog post published on Thursday (July 18), the campaign targets specific industries that are clearly of interest to the regime in Teheran: “This threat group has conducted broad targeting across a variety of industries operating in the Middle East—however, we believe APT34’s strongest interest is gaining access to financial, energy, and government entities.”
Sam Curry, Chief Security Officer at Cybereason:
“The US civilian side might be vulnerable in many areas to exploitation, but it is neither monolithic nor small. It is highly diversified, distributed and massive in size. While Iran can swipe at civilian cyber targets through these types of campaigns using platforms such as LinkedIn, it will have diminishing returns. It is at most cyber terrorism, designed to scare the government, which is futile, and ultimately will lead to hardening the civilian sector. Beware of hyperbole and exaggeration too. Yes, Iran can hurt people. No, it’s not the end of the world as we know it. Yes, cyber sabers will be rattled just like the more literal and more traditional ones. No, this is not a cyber Pearl Harbor or 911. Yes, this is the new normal; and yes, we can weather it and beat it globally.
This notion of “an interchangeable battlefield tool,” is the heart of the matter: Cyber is a tool for extension of politics by other means just as much as any other battlefield weapon, and its own battlefield too. LinkedIn has grown to be the Facebook of the business world. Some still treat and police it as a trusted social channel and filter carefully with whom they connect. Others, myself included, treat it as always suspect and our networks as not inherently trustworthy. Unlike in other social media venues, we can’t afford to ignore requests to connect, as it could mean spurning or embarrassing legitimate connections.
Let’s be honest, we don’t know anyone well beyond a couple of hundred connections, and LinkedIn has gamified expanding the network and become a tool for staying close to those we distantly know. This demands a new set of protocols. Interaction on LinkedIn and many other social media should be done with a high degree of skepticism at all times. Click nothing. Download nothing. Practice being blunt and tough with connections and communications through LinkedIn. Whether or not you take an “accept all” approach, give people zero chances before being blocked. Attackers will always seek the soft underbelly in any conflict, and they will move to the social media platforms that succeed to practice social engineering. Social media engineering is something we should all be on alert for at all times.”
