Iranian Counterintelligence Operation Targets Farsi Speakers with Fake Recruitment Websites
On August 28, 2024, Mandiant released a comprehensive report uncovering a suspected Iran-nexus counterintelligence operation. This campaign, targeting Farsi speakers within and outside Iran, leveraged fake recruitment websites to collect personal and professional data.
Introduction
On August 28, 2024, Mandiant released a comprehensive report uncovering a suspected Iran-nexus counterintelligence operation. This campaign, targeting Farsi speakers within and outside Iran, leveraged fake recruitment websites to collect personal and professional data. The operation, attributed with high confidence to Iran's regime, aims to identify individuals potentially collaborating with foreign intelligence and security agencies, particularly in Israel.
Report Overview
Mandiant's investigation revealed that the operation, potentially linked to the Iranian Revolutionary Guard Corps (IRGC) and APT42, a known Iran-nexus threat actor, has been active since at least 2017. The campaign primarily targeted Iranian dissidents, activists, human rights advocates, and individuals with ties to foreign intelligence services. Similar operations were previously observed targeting Arabic speakers affiliated with Syria and Hezbollah, indicating a broader counterintelligence strategy by Iran.
The operation employed over 35 fake recruitment websites posing as Israel-based human resources firms. These sites used elaborate decoy content, including Israeli national symbols, to lure targets into providing sensitive personal details. The campaign also utilized multiple fake social media accounts to disseminate these websites, directing users to enter their information under the guise of job offers. The data collected was then sent to the attackers, potentially for use in identifying and persecuting individuals of interest to the Iranian regime.
The implications of this operation are significant, particularly for Iranian individuals suspected of collaborating with foreign entities. The collected data could be used to expose and target those perceived as threats to Iran's regime. Mandiant's report highlights the ongoing nature of Iran's counterintelligence efforts, which extend beyond its borders and may support allied operations in Syria and Lebanon.
Insights and Analysis
Mandiant's high-confidence assessment of the operation's connection to Iran's regime is based on observed tactics, techniques, and procedures (TTPs) consistent with past Iranian operations. The report also notes a weak overlap with APT42 activities, further corroborating the campaign's Iran nexus.
To mitigate the threat posed by this operation, individuals should exercise caution when interacting with recruitment websites, especially those requesting sensitive personal details. Verifying the legitimacy of such sites before submitting information is crucial. Additionally, security professionals should monitor for indicators of compromise (IOCs) related to this campaign, as listed in Mandiant's report.
Mandiant's report exposes a sophisticated Iranian counterintelligence operation targeting Farsi speakers with fake recruitment websites. The campaign's high-confidence attribution to Iran's regime underscores the persistent threat posed by state-sponsored cyber operations. As Iran continues to refine its counterintelligence capabilities, vigilance and proactive defence measures are essential to protect against such threats.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| beparas[.]com | Domain | Fake recruitment website posing as an Israel-based HR firm. |
| parasil[.]me | Domain | Associated with the "Optima HR" fake recruitment campaign. |
| darakeh[.]me | Domain | Another domain used in the fake recruitment operation. |
| kandovani[.]org | Domain | Associated with the "Optima HR" and "Kandovan HR" fake HR campaigns. |
| topwor4u[.]com | Domain | Promoted via fake social media accounts as part of the counterintelligence operation. |
| opthrltd[.]me | Domain | Used as part of the "Optima HR" campaign, linked to fake HR firm operations. |
| joinoptimahr[.]com | Domain | Website posing as an HR firm targeting Farsi speakers. |
| optimax-hr[.]com | Domain | Another fake HR firm domain involved in the operation. |
| optimac-hr[.]com | Domain | Used to target Farsi speakers with fake recruitment offers. |
| optima-hr[.]com | Domain | Central to the "Optima HR" fake recruitment campaign. |
| titanium-hr[.]com | Domain | Part of the broader fake HR website network used in the operation. |
| azadijobs[.]me | Domain | Part of the "VIP Human Solutions" cluster, used in fake recruitment campaigns. |
| bilal1com[.]com | Domain | Used in the "VIP Human Solutions" fake HR campaign. |
| damavand-hr[.]me | Domain | Linked to "VIP Human Solutions" and targeting specific regions. |
| damkahill[.]com | Domain | Domain associated with the "VIP Human Solutions" campaign. |
| dream-jobs[.]org | Domain | Fake recruitment site targeting Farsi speakers under the "VIP Human Solutions" banner. |
| dream-jobs[.]vip | Domain | Another domain within the "VIP Human Solutions" campaign. |
| dreamy-job[.]com | Domain | Part of the fake recruitment network targeting intelligence personnel. |
| dreamy-jobs[.]com | Domain | Used in a similar capacity within the "VIP Human Solutions" operation. |
| dreamycareer[.]com | Domain | Another fake HR domain used in the broader campaign. |
| golanjobs[.]me | Domain | Domain targeting individuals related to Syria and Hezbollah under the "VIP Human Solutions" cluster. |
| hat-cast[.]com | Domain | Associated with the "VIP Human Solutions" campaign, possibly for phishing or data collection. |
| irnjobs[.]me | Domain | Another domain linked to the "VIP Human Solutions" fake recruitment sites. |
| jomehjob[.]com | Domain | Part of the cluster targeting intelligence personnel through fake HR sites. |
| radabala[.]com | Domain | Linked to the broader "VIP Human Solutions" operation. |
| rostam-hr[.]vip | Domain | Fake HR site associated with the "VIP Human Solutions" cluster. |
| salamjobs[.]me | Domain | Used within the "VIP Human Solutions" fake recruitment campaign. |
| shirazicom[.]com | Domain | Another domain from the "VIP Human Solutions" operation. |
| syrtime[.]me | Domain | Associated with the campaign targeting Syria and Hezbollah intelligence personnel. |
| topiranjobs[.]me | Domain | Domain targeting Iranian individuals within the broader operation. |
| trnjobs[.]me | Domain | Used as part of the "VIP Human Solutions" network of fake recruitment sites. |
| vipjobsglobal[.]com | Domain | Central to the "VIP Human Solutions" campaign, targeting intelligence personnel. |
| wazayif-halima[.]com | Domain | Arabic-language fake HR site targeting Hezbollah and Syrian personnel. |
| wazayif-halima[.]org | Domain | Similar to wazayif-halima[.]com, used in the same campaign. |
| wehatcast[.]com | Domain | Another domain used in the broader "VIP Human Solutions" operation. |
| youna101[.]me | Domain | Domain targeting Farsi speakers under the fake recruitment campaign. |
| younamesh[.]com | Domain | Part of the "VIP Human Solutions" fake HR network. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Spearphishing via Service | T1566.003 | The operation used fake recruitment websites to socially engineer individuals into providing personal details, a form of phishing. |
| Credential Access | Input Capture | T1056 | The websites required users to input personal and professional details, which were then captured by the attackers. |
| Command and Control | Application Layer Protocol | T1071.001 | The campaign used Telegram links as a command and control mechanism to communicate with targeted individuals under the guise of HR communications. |
References
Comments ()