In a recent cybersecurity report, researchers uncovered a new espionage campaign in which Iranian hackers impersonated recruiters on LinkedIn to target the aerospace industry. These tactics, often associated with North Korean cyber operations, were attributed instead to a group tied to Iran’s cyberwarfare unit, raising questions about cross-border tactics and shared methods among adversarial states.
Iranian Group Mimics North Korean Tactics
The campaign has been attributed to TA455, a subgroup of the Iranian government-affiliated cyberwarfare organization, Charming Kitten, according to Israeli cybersecurity firm ClearSky. Traditionally, “fake worker” schemes involving fabricated recruiter profiles have been associated with North Korean threat actors. However, ClearSky has linked this latest operation to the Iranian cyber unit, suggesting that either TA455 intentionally mimicked North Korean-backed hackers to obscure its activities, or that North Korea shared attack methods and tools with Iran.
A New Wave of Cyber Threats to the Aerospace Industry
The TA455 campaign, active since at least September 2023, has relied on a combination of fake recruiting websites and LinkedIn profiles to lure industry targets. Posing as recruiters, the hackers distributed seemingly legitimate documents embedded with malware. Once downloaded, the malware—known as SnailResin—activated a backdoor called SlugResin, enabling cyber-espionage activities within the affected networks.
Both SnailResin and SlugResin have been previously linked to the Charming Kitten group, which is also tracked as APT35 by Microsoft. In a sign of evolving threat patterns, some researchers have also tied these tools to North Korean state-sponsored groups Kimsuky and Lazarus, adding to the evidence that North Korea and Iran may be sharing techniques and methods in their cyber operations.
A Targeted Campaign Expands Regionally
Earlier research by Google-owned cybersecurity firm Mandiant had flagged similar activity by suspected Iranian hackers, who previously targeted the aerospace, aviation, and defense sectors in Israel, the United Arab Emirates, and possibly Turkey, India, and Albania. LinkedIn profiles used in the current campaign appear to be updated versions of the profiles flagged in Mandiant’s earlier research, suggesting an evolution in the group’s tactics.
Although Iran’s cyber operations have historically focused on the Middle East, ClearSky’s report notes that this campaign has expanded to target Eastern Europe as well. The shift is likely motivated by ongoing geopolitical tensions and Iran’s alliances, especially targeting entities viewed as opposed to its strategic goals.
Evolving Tactics to Evade Detection
The TA455 campaign bears similarities to previous Iran-backed campaigns but reveals notable adaptations aimed at bypassing current security measures. To avoid detection, TA455 leveraged traffic from widely-used, trusted platforms like Cloudflare, GitHub, and Microsoft Azure Cloud, concealing its infrastructure within legitimate services.
ClearSky’s analysis highlights that the fake recruiter profiles, often associated with fabricated companies, were essential to the deception strategy. These profiles were designed to build trust, making it more likely for victims to engage with malicious links and attachments. By using LinkedIn, a trusted platform, TA455 managed to bypass traditional security mechanisms that typically flag suspicious emails or websites.
Escalating Cyber Threats with Broad Implications
This latest operation demonstrates the increasing sophistication and adaptability of Iran’s cyber operations. Leveraging shared tactics and using established platforms to disguise malicious intent signals a potential escalation in the cyber threat landscape, especially within sensitive industries like aerospace. ClearSky’s findings serve as a warning to organizations in high-stakes industries to be vigilant, as attackers continue to evolve methods that exploit trusted digital networks and platforms.
This campaign’s cross-border implications and high level of deception emphasize the urgent need for updated cybersecurity protocols. As state-affiliated cyber groups like TA455 refine their strategies, particularly by tapping into global platforms, cybersecurity defenses must evolve to match these sophisticated and persistent threats.
