An Iranian hacker group laid a large-scale espionage trap by posing as a legitimate recruiting company. The trap was designed to lure national security officers into giving up data and confidential information.
The operation has been going on since 2017. At the time, the hackers shielded themselves by pretending to be Israeli. Experts believe they pretended to be Israeli recruiters to see which Middle Eastern officials were willing to sell military secrets to Israel.
At first, they targeted Iranian allies, however as time went on they turned their focus towards Western countries and their allies.
They used a network of fake recruiting websites for regions all across the Middle East, obtaining sensitive data for 7 years before they were detected.
“VIP Recruitment, a center for recruiting respected military personnel into the army, security services and intelligence from Syria and Hezbollah, Lebanon,” reads a deceptive statement on one of the hackers’ websites. “Join us to help each other impact the world. Our duty is to protect your privacy.”
The campaign was uncovered by Mandiant, a cybersecurity firm that’s employed by Alphabet’s Google Cloud service.
The hackers have ties to multiple Iranian hacking groups, including APT42, the group that took credit for hacking Donald Trump’s presidential campaign. The same group is being researched for possible interference with the 2024 US election.
APT42 has roots in the Iranian Revolutionary Guard, a militant group that holds power over multiple regions in Iran.
“The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries,” reads the Mandiant report. “The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations.”
While many websites have already been removed, the hackers are currently unknown.