The Iranian group which Dell’s SecureWorks Counter Threat Unit Threat Intelligence team named Threat Group-2889 (TG-2889), seems to be the same group Cylance and the FBI warned about in December, when they went about infiltrating critical infrastructure points around the world, researchers said in a blog post.
Dell said the group is building a network of fake user profiles on LinkedIn, creating fake identities for high-tech professionals and trying to get in contact with various companies in different countries.
The group appears interested in the aerospace, defense, military, chemical, energy, government, and education industries. Most targets are from the telecommunications field, from companies located in the Middle East and North Africa.
In fact, countries in the Middle East make up the majority of targeted states. The top 5 is Saudi Arabia (39 businesses), Qatar (28), United Arab Emirates (27), Pakistan (17), and the United States (12).
Dell identified 25 of the fake LinkedIn profiles until now, and said they all ended up been created to support 8 accounts, called “leader personas.”
The other accounts only exist to support the leaders giving them credibility and creating a network of followers around them.
The follower accounts appear bare, the leader accounts have quite a bit of details, the TG-2889 members are going the distance to join various LinkedIn groups, and even updating their listings regularly, changing names and pictures before someone catches on.