Mandiant has discovered one of the unusual Iranian counterintelligence activities that focuses on prospective agents of foreign intelligence services, especially in Israel.
The operation was run by Iranian state-sponsored hackers between 2017 and March 2024 and comprised over 35 Farsi-language fake recruiting sites, which traced job offers and content relevant to the state of Israel.
These pages targeted and systematically harvested personal, occupational, and educational details to identify possible HUMINT candidates.
Technical Analysis
This operation holds traces of APT42, an Iranian group with IRGC-IO affiliations, also known to use social media for outreach and targeting dissidents, activists, and expatriates.
Notably, the objectives were enlarged along with the campaign and perpetrators moved against Arabic-speaking intelligence communities that are connected with Syria and Lebanon. Mandiant’s assessment did not identify any attempt related to US election interference.
The company has sought to undermine the operation, shutting down related accounts and providing website users with protective measures.
This campaign demonstrates how the Iranian government continues efforts to protect its intelligence services and possibly incorporate those threats into government repression.
In this particular cyber espionage campaign, which is complex in nature, fake Israeli recruitment sites focus on Farsi-speaking people and recruit them using social engineering strategies.
Links are spread with sites like X (aka Twitter) and some virasty, to malicious websites such as topwor4u[.]com and beparas[.]com.
These sites are hosted on WordPress and mimic HR agencies such as “Optima HR” or “Kandovan HR”, with content and career opportunities related to Israel and cybersecurity and intelligence.
The sites’ structures were found to be identical, with some containing telegram contacts bearing the “IL” (Israel), such as hxxps://t[.]me/PhantomIL13 and hxxps://t[.]me/getDmIL.
An investigation of beparas[.]com also identified and lifted the WordPress login handle “miladix” linked to an avatar image Gravatar oddities with sha256-form email records.
.webp "Iran State-Sponsored Hackers Intelligence Operations Using Fake Job Offers 2")
The campaign makes use of both the desktop and mobile versions of the sites, which bear Israeli sites and graphics.
These websites have forms that require personal and work-related information such as their names, birth dates, emails, physical addresses, educational history, and work history.
.webp "Iran State-Sponsored Hackers Intelligence Operations Using Fake Job Offers 3")
The cycle of attacks includes the distribution of a link, provision of a fake content, and gathering information.
A connection to an Iranian software developer was triangulated via miladix[.]com, however, no such connections could be verified.
This activity seems to be oriented towards monitoring the movement of Iranian nationals with cybersecurity skills for espionage or recruitment purposes.
The “Axis of Resistance” operation involved sophisticated cyber espionage tactics targeting Syria and Hezbollah.
The investigation exposed fraudulent recruitment sites such as “Optima HR,” “VIP Human Solutions,”, which recruited native Farsi and Arabic speakers with security and intelligence backgrounds.
The sites had command and control structures and templates associated with decoy content’s affiliation to Israel for primary images, plus phone contacts bearing (+972), telegram group chats ( hxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw).
Mandiant’s investigation uncovered connections to domains like vipjobsglobal[.]com and various Telegram accounts. The campaign, suspected to be linked to Israeli Mossad, operated from at least 2018 to 2023.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!