*

Hackers are part of group tied to Iranian Revolutionary

Guard

*

Operation active since 2017, impersonated Israelis to

target

Middle Eastern officials

*

Fake HR firms used social media to lure targets, data may

still

be exploited

By Christopher Bing

Aug 28 (Reuters) - An Iranian hacking group ran a fake

professional recruiting business to lure national security

officials across Iran, Syria and Lebanon into a cyber espionage

trap, according to new research by U.S. cybersecurity firm

Mandiant, a division of Alphabet's Google Cloud.

Researchers said the hackers are loosely connected to a group

known as APT42 or Charming Kitten, which was recently accused of

hacking the U.S. presidential campaign of Republican candidate

Donald Trump. APT42 is widely attributed to an intelligence

division of the Iranian Revolutionary Guard, an expansive

military organization based in Tehran. The FBI has said it is

investigating APT42's ongoing efforts to interfere in the 2024

U.S. election.

The mission uncovered by Mandiant dates back to at least

2017 and was active until recently. At different times, the

Iranians made their operation appear as if it was controlled by

Israelis. Analysts say the likely purpose of the impersonation

was to identify individuals in the Middle East who were willing

to sell secrets to Israel and other Western governments. It

targeted military and intelligence staff associated with Iran's

allies in the region.

"The data collected by this campaign may support the Iranian

intelligence apparatus in pinpointing individuals who are

interested in collaborating with Iran's perceived adversarial

countries," the Mandiant report said. "The collected data may be

leveraged to uncover human intelligence (HUMINT) operations

conducted against Iran and to persecute any Iranians suspected

to be involved in these operations."

Iran's mission to the United Nations did not immediately

respond to a request for comment.

Mandiant found that the digital spies used a network of

websites impersonating human resources companies to manipulate

Farsi-speaking targets. The bogus firms were named VIP Human

Solutions, also known as VIP Recruitment, Optima HR and Kandovan

HR, among others. They leveraged dozens of inauthentic online

profiles on Telegram, Twitter, YouTube and social media platform

Virasty, which is popular in Iran, to promote the front

companies. Nearly all the associated internet accounts have

since been removed.

"VIP Recruitment, a center for recruiting respected military

personnel into the army, security services and intelligence from

Syria and Hezbollah, Lebanon," said a statement on one of the

websites. "Join us to help each other impact the world. Our duty

is to protect your privacy."

The hackers cast a wide net by using various social media

platforms to disseminate links about their fake HR scheme. It is

unclear how many targets ultimately fell for the ruse. The

collected data, which included addresses, contact details and

other resume-related data, could still be exploited in the

future, Mandiant said.