FILE PHOTO: Man poses in front of on a display showing the word ‘cyber’ in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic
LONDON (Reuters) – Hackers posed as recruiters working for U.S. defence giants Collins Aerospace and General Dynamics (GD.N) on LinkedIn to break into the networks of military contractors in Europe, cybersecurity researchers said on Wednesday.
The cyber spies were able to compromise the systems of at least two defence and aerospace firms in Central Europe last year by approaching employees with pseudo job offers from the U.S. firms, Slovakia-based cybersecurity firm ESET said.
The attackers then used LinkedIn’s private messaging feature to send documents containing malicious code which the employees were tricked into opening, said Jean-Ian Boutin, ESET’s head of threat research.
ESET declined to name the victims, citing client confidentiality, and said it was unclear if any information was stolen. General Dynamics and Collins Aerospace, which is owned by Raytheon Technologies RTX.N, declined immediate comment.
ESET was unable to determine the identity of the hackers but said the attacks had some links to a North Korean group known as Lazarus, which has been accused by U.S. prosecutors of orchestrating a string of high-profile cyber heists on victims including Sony Pictures and the Central Bank of Bangladesh.
North Korea’s mission to the United Nations in New York did not immediately respond to a request for comment.
The attacks are not the first time LinkedIn has been caught up in international espionage. Western officials have repeatedly accused China of using fake LinkedIn accounts to recruit spies in other countries, and multiple hacking groups have been spotted using the business-networking site to profile their targets.
But ESET’s Boutin said hacking attempts are usually conducted via email. “This is the first case I am aware of where LinkedIn was used to deliver the malware itself,” he said.
LinkedIn said it had identified and deleted the accounts used in the attacks. “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors,” said the company’s head of trust and safety, Paul Rockwell.
Additional reporting by Michelle Nichols in New York; Editing by Elaine Hardcastle