Iran hacks US allies with lure of ‘dream job’ by posing as recruiters on LinkedIn

On Nov 13, 2024

Iranian-linked hackers have been using fake dream job offers to target individuals in key sectors in US ally states, a cybersecurity firm has claimed.

Tel Aviv-based ClearSky Cyber Security published a report which identified what it called the “Iranian Dream Job” campaign.

It targeted people in the aerospace, aviation and defence industries in Israel, the UAE, Turkey, India and Albania, Newsweek reports.

Click here for the latest headlines from the Daily Star.

It claimed Iran-backed hackers have been posing as recruiters on LinkedIn from at least September 2023 to tempt targets with what appear to be lucrative and legitimate job offers.

Donald Trump — Individuals targeted work in aviation, aerospace and defense industries in US ally states
(Image: Getty Images)

These profiles have been linked to fake employers such as Careers 2 Find and send malware to targets. One downloaded, this malware allows hackers to access systems and steal sensitive data.

ClearSky identified the involved group as TA455, which is also known as UNC1549 by Google-owned cybersecurity firm Mandiant.

Mandiant released a report that linked the group to Iran’s Revolutionary Guard Corps in February, which detailed the group’s “tailored job-themed lures”.

Stock image of hacker — Hackers target victims with legit-looking job offers then hit them with malware
(Image: Getty Images/iStockphoto)

Intelligence collected from targets in the aerospace and defence industries is “of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations”.

Iranian attacks used malware files sometimes identified by antivirus engines as originating from Kimsuky and Lazarus – which ClearSky said have been previously linked to North Korea.

ClearSky suggested the Iranian hackers could have “deliberately mimicked the tactics and tools” used by Pyongyang to disguise the campaign and “deflect blame”.

The cybersecurity firm also suggested that the similarities between the Iranian and North Korean campaigns could indicate “North Korea shared with Iran their attack methods and tools”.

In September the FBI warned that North Korea hackers were using fake employment offers to target cryptocurrency exchange-traded funds.

At the time, the FBI said: “For companies active in or associated with the cryptocurrency sector, the FBI emphasises North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organisations with access to large quantities of cryptocurrency-related assets or products.”

For the latest breaking news and stories from across the globe from the Daily Star, sign up for our newsletters.