Iran Counterintelligence Operation Uses Fake HR Companies to Phish Information

• Iranian hackers created bogus HR companies to collect personal data on individuals perceived as a threat to the country.
• They used fake accounts on popular social media platforms to promote the phishing operation.
• The campaign targeted people in Iran, Israel, Syria, and Lebanon.

An alleged Iran-nexus counterintelligence operation collecting data on Iranians and domestic threats suspected of espionage includes a phishing campaign to lure victims across Iran, Israel, Syria, and Lebanon, according to new research by cybersecurity firm Mandiant.  

Hackers created a fake professional recruiting business to collect data on individuals they perceive as a threat to the country, which may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.

The threat actors operated Telegram, Twitter, YouTube, and Virasty accounts to disseminate a network of over 35 fake recruiting websites, such as VIP Human Solutions, VIP Recruitment, Optima HR, and Kandovan HR.

Harvested information, which included addresses, contact details, and professional and academic experience, may be leveraged to uncover human intelligence (HUMINT) operations against Iran and to persecute those suspected of being involved. 

The said campaign showed weak overlap with a group known as APT42 or Charming Kitten, the report said. The notorious Iranian state-backed threat actor APT42 targeted both the Democratic and Republican presidential campaigns in recent months, but Mandiant said these groups’ activities are not related.

The FBI said the hack by Iran of the Trump campaign and an attempted breach of the Biden-Harris campaign pertained to a larger Iranian operation aiming to interfere with the upcoming U.S. presidential election.

This month, an Iranian cybercriminal gang targeted the WhatsApp accounts of staffers in the administrations of President Joe Biden and former President Donald Trump, posing as support agents for tech companies. Meta’s security teams linked the activity to APT42.

Also, OpenAI identified and blocked several Iranian accounts that employed ChatGPT in an influence operation focused on the U.S. elections to create conflictual content targeting Democrats and Republicans alike by rewriting news articles from legitimate sources and other people’s comments on social media.

In May, Iranian government-backed hackers breached the account of a county-level official with minimal access permissions and tried infiltrating the account of an important official via spear-phishing a few weeks after that.

Iranian state-backed threat actor APT42, associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), was confirmed to target high-profile accounts of both political campaigns connected to the upcoming U.S. presidential election. The U.S. State Department identified six IRGC-linked Iranian security officials reportedly responsible for the cyberattacks on U.S. water utilities in 2023.
However, a disinformation campaign connected to China allegedly operates a network of at least 5,000 fake X accounts focusing on divisive U.S. political issues that seem to be operated by AI.