How spies used LinkedIn to hack European defense companies

It's a cautionary tale in the use of social engineering for espionage.
defense companies
A Gulfstream G550 owned by Poland's Air Force is pictured taking off from the Warsaw Chopin Airport in 2018. Gulfstream's parent company, General Dynamics, is one of at least two companies that an APT group has impersonated in an espionage scheme, according to ESET. (Getty Images)

For LinkedIn users, receiving unsolicited messages from pushy job recruiters comes with the territory. It’s an annoyance for some, a welcome path toward a new gig for others.

What the experience isn’t supposed to entail is hackers targeting sensitive data at the defense company that employs you.

That’s what happened to employees at two European aerospace and defense firms from September to December 2019, according to research published Wednesday. The culprit was an as-yet-unidentified advanced persistent threat (APT) group — hackers that are usually associated with governments. They posed as job recruiters on LinkedIn, and their methods were relentless, even clumsy at times.

The operatives “targeted a large array of employees at both organizations, across different divisions, relentlessly trying to get a foothold in their target’s network,” said Jean-Ian Boutin, head of threat research at ESET, the anti-virus firm that exposed the hacking campaign.


At the end of the operation, the hackers tried to bilk one of the European companies out of money a client owed them — an example of how APT groups occasionally dabble in personal enrichment schemes.

Boutin’s team isn’t sure what exact files, if any, the hackers were able to steal. But based on the people targeted, the researchers believe the hackers were after sensitive “technical and business-related information” held by the European companies.

ESET is still trying to determine who was responsible for the hacking. Tentative but unconfirmed clues in the data point to Lazarus Group, a broad set of hackers linked with the North Korean government. Regardless of who is behind it, the operation offers a cautionary tale in how social engineering can be used for espionage.

You are an ‘elite’

ESET’s findings show that, despite LinkedIn’s efforts to clamp down on imposters, the platform is still fertile ground for espionage.


U.S. officials have repeatedly accused Chinese spies, for example, of using the platform to recruit U.S. assets. Kevin Mallory, a former CIA clandestine officer, was convicted on espionage charges in 2018 after passing Chinese intelligence classified information. It all began when a Chinese headhunter contacted Mallory on LinkedIn in 2017 and introduced him to someone who worked at a Chinese think tank.

Other governments have exploited LinkedIn. North Korean hackers used LinkedIn for reconnaissance prior to their $81 million heist of the Bank of Bangladesh in 2016, according to an FBI affidavit.

This espionage uncovered by ESET began with flattery. LinkedIn users posing as recruiters from Collins Aerospace, a subsidiary of Raytheon, and General Dynamics sent obsequious messages to employees at the European defense and aerospace firms. The fake recruiters told the targets they are “elites” who had a spot waiting for them at their purported companies.

In at least one case, the scheme moved to email, where the hackers were more comfortable sending malicious files than conversing in broken English. They sent the targets documents that purported to contain more information about the job opportunities but were really an elaborate ruse for breaking into computers.

“[T]he attackers were pretty aggressive and persuasive in pushing their targets to open malicious documents they sent,” Boutin, the ESET researcher, said. “In some cases, the target was having technical difficulty opening them and the attackers were really trying hard to debug the problem.”


With that access, the hackers went further into the corporate networks. They “brute-forced” — or threw a series of passwords until one worked —a directory of employees to get a list of administrative accounts and stole passwords from those accounts.

The attackers attempted to cover their tracks, deleting their LinkedIn profiles and data from compromised computers. They made preparations to smuggle the files into a Dropbox folder they controlled.

In a statement, Paul Rockwell, head of trust and safety at LinkedIn, said the company has a process in place to defend its platform from spies.

“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members,” Rockwell said. “We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.”

Some of the malicious code that the spies used bore similarities to tools used by the Lazarus hackers. That includes a ‘backdoor’ known as NukeSped that North Korean computer operatives have used on Korean-speaking MacOS users. But that’s not enough for the researchers to point the finger at Pyongyang.


What is clear is that the perpetrators used corporate rivalries against the victims to increase the operation’s odds of success.

“Most people are unlikely to report to their current employer suspicious activities tied to a job offer they received, and were curious about, from a competitor,” Boutin said.

UPDATE10:39 a.m. EDT: This story has been updated with a statement from LinkedIn.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts