Iran hunts down double agents with fake recruiting sites, Mandiant reckons

Government-backed Iranian actors allegedly set up dozens of fake recruiting websites and social media accounts to hunt down double agents and dissidents suspected of collaborating with the nation’s enemies, including Israel.

The campaign targeted Farsi speakers living in and outside of Iran, began as early as 2017 and lasted until at least March this year.

The threat intel team at Google-owned Mandiant uncovered the activity and detailed it in a report published Wednesday.

In that document, Mandiant’s Ofir Rozmann, Asli Koksal, and Sarah Bock offered a " high confidence" assessment that the operation was conducted on behalf of Iran's regime, and noted a "weak overlap" between this cyber-snooping job and APT42 - a cyber unit affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) accused of hacking Donald Trump's presidential campaign.

Whoever ran the campaign used several social media accounts on X and Virasty, an Iranian version of X, to promote more than 35 fake job recruiting websites containing content written in Farsi. The posts included job offers and Israel-related images and lures such as the Israeli flag and major landmarks, content used to lure Farsi speakers into thinking they were closer to their dream gig.

One Xeet, translated from Farsi, said:

Clicking the link in the Xeet sent users to website for a phony human resources firm looking to "recruit employees and officers of Iran's intelligence and security organizations."

The sites encouraged job seekers with "documented experience and resume[s]" in infosec and cybersecurity to apply. "Excellent salary" and privacy protection were advertised as part of the package.

One of the sites Mandiant's threat hunters spotted - beparas[.]com – was tailored to both desktop and mobile devices. The site contained many elements designed to make it look like a legitimate Israel-based operation.

• Google raps Iran's APT42 for raining down spear-phishing attacks
• Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear
• Pro-Iran groups lay groundwork for 'chaos and violence' as US election meddling attempts intensify
• Mandiant links APT42 to Iranian 'terrorist org'

The fake recruiting websites encouraged users to complete a form recording their name, birth date, email, home address, education, and professional experience. The attackers scooped that info, potentially meaning Iran scored dissidents’ personal information.

That’s an obvious data privacy problem. The scam could also create real-world safety issues as the IRGC has made behind assassination attempts and other physical threats against its enemies.

As the Mandiant crew noted: "The collected data, such as addresses, contact details, as well as professional and academic experience, might be leveraged in future operations against the targeted individuals."

Iran ramps up malicious activity

This latest report comes as Iran has ramped up its cyberattacks against US and foreign targets.

Yesterday, Microsoft revealed a series of attacks targeting the satellite, communications equipment, oil and gas, and federal and state government sectors in the US and the United Arab Emirates.

According to Redmond, a different Iran government-linked group also affiliated with the IRGC was responsible for these intrusions, during which the Peach Sandstrom crew deployed a new, custom backdoor dubbed Tickler.

Additionally, US government agencies said yet another Iranian cyberspy crew, Pioneer Kitten, has this month attacked US and foreign networks to steal sensitive data and deploy ransomware.

Ransomware appears to be a side hustle for the crew, which has worked with ransomware-as-a-service gangs NoEscape, Ransomhouse, and ALPHV/BlackCat, according to the FBI, CISA, and US Department of Defense.

The data-theft part, however, which usually involves stealing sensitive technical information from defense orgs in the US, Israel and Azerbaijan, is likely conducted on behalf of Tehran, we're told. ®