Leaked LinkedIn Data May Perpetuate APT Campaigns

Summary

A LinkedIn database containing roughly 35 million users’ personal information was leaked by USDoD, a hacking group that gained notoriety last year after leaking the personal information of nearly 87,000 members of the Federal Bureau of Investigation’s (FBI’s) collaborative intelligence platform, InfraGard. The database largely contains publicly available information from millions of LinkedIn profiles, such as full names, email addresses, and profile biographies. While the leaked data does not include user passwords, numerous email addresses were identified belonging to various government agencies, including high-ranking US government officials and institutions. This information can be used in targeted cyberattacks such as spearphishing, business email compromise, and employer impersonation.

A recent example includes a Spanish aerospace company targeted by Lazarus, a cyberespionage group linked to North Korea. The targeted employees were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable, which presented itself as a coding challenge or quiz. In another example, Sapphire Sleet (also known as APT 38 and BlueNoroff), a suspected sub-group of Lazarus, established new infrastructure impersonating skills assessment portals as part of its social engineering campaigns. Microsoft Intelligence stated that Sapphire Sleet typically discovers targets on platforms like LinkedIn and uses lures related to skills assessments. In August 2023, the North Korean-linked Kimsuky hackers used spearphishing tactics to gather and exfiltrate information regarding the Ulchi Freedom Shield drills – an annual joint military exercise conducted by South Korea and the United States. While this cyberattack was not associated with leaked data as an access vector, it demonstrates how similarly grouped information can be used for nefarious purposes, impacting national security.

Recommendations

The NJCCIC advises users and organizations to remain vigilant and take proactive steps to limit their online presence to avoid exposing personal information. Avoid clicking links and opening attachments from unknown senders, and exercise caution with emails from known senders. Navigate directly to websites for authentic job postings by manually typing the URL into a browser instead of clicking on links delivered in communications to ensure visited websites are legitimate. In addition, before responding and providing sensitive information, job seekers are advised to research potential employers and businesses online to determine if others have reported a scam and verify potential offers by contacting the human resources department using official contact information. More information on job scams can be found on the Federal Trade Commission (FTC) website. Further details regarding securing personal information on social media accounts can be found in the NJCCIC informational report, How Big is Your Footprint. If victimized, report the activity directly to the respective employment listing service, the FTC, and the NJCCIC.