Iranian hackers using social media, job recruitment sites to lure Israeli spies
In John le Carré novels, spyhunters traipse around Cold War-era European city streets pinpointing dead drop sites and piecing together puzzles of information that can lead them to double agents. In the modern world, nations are increasingly turning to social media and the internet to conduct counterintelligence and identify potential spies.
According to new research from Mandiant and Google Cloud, an Iranian hacking group has been observed using disguised social media personas to spread and share fake job recruitment websites, employment offers and other content lures to unsuspecting victims.
The content was posted on platforms like X and Virasty — an Iranian alternative to Twitter/X — and people posing as Israeli headhunters or human resource employees directed users to job recruitment sites written in Farsi, the official language of Iran. Those who clicked were asked to provide personal details, such as their name, date of birth and home address, as well as information on their professional or academic backgrounds. That information was promptly sent to attackers.
The operation, first spotted in 2017 and last seen active in March 2024, appears primarily to be helping the Iranian government identify Iranians potentially cooperating with foreign adversaries, including Israel.
“The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries,” wrote authors Ofir Rozmann, Asli Koksal and Sarah Bock. “The collected data may be leveraged to uncover human intelligence operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations.”
A post by social media persona @A_Soleimani_Far advertising a social engineering lure disguised as a job recruitment website on Virasity. [Source:Mandiant]
Social media persona @MiladAzadihr links to a fake, Israeli-themed job recruitment site on Twitter/X. [Source: Mandiant]
The decoy recruitment sites specifically advertised the need for individuals with background or experience in IT and cybersecurity, as well as “employees and officers of Iran’s intelligence and security services,” while offering “excellent” pay and promising to protect the individual’s privacy.
Ben Read, head of Mandiant’s cyber espionage analysis, told CyberScoop that while the threat intel firm lack specifics on the number of individuals affected, the operation’s seven-year duration indicates that “presumably they’re having some success.”
Desktop and mobile versions of decoy job recruitment website beparas[.]com used in February 2024. [Source: Mandiant]
Mandiant assessed with high confidence that the operation was carried out at the behest of the Iranian government, with researchers noting a “weak overlap” with activity linked to APT42, a group accused by U.S. officials of targeting and spearphishing the Trump and Harris presidential campaigns.
But Read said this operation appears distinct from other APT42 operations. While it may share training or leadership with the APT group, it uses separate IT infrastructure, which leads Mandiant to believe it’s a separate entity. This activity is also unrelated to the U.S. elections and strictly focused on gathering counterintelligence on domestic actors and Farsi-speaking dissidents living abroad.
Tehran’s focus on uncovering Israeli collaborators stems from a decade of Israeli intelligence successes within Iranian borders and neighboring territories. That includes a string of assassinations of Iranian and Revolutionary Guard leaders and nuclear scientists, and Mossad’s 2018 theft of nuclear program documents.
More recently, Hamas leader Ismail Haniyeh was killed in a missile strike in Tehran after attending Iranian President Masoud Pezeshkian’s swearing-in ceremony. Israeli Prime Minister Benjamin Netanyahu has not publicly acknowledged or denied Israel’s involvement in the episode.
“Israel intelligence is clearly very active there and having impacts,” Read said, “so it would make sense that Iran would turn to this as a way to blunt that and try to find individuals who either are or are likely to be reaching out to Israelis and try to get them identified first.”