WASHINGTON – News this week that two former Twitter employees were charged by the Department of Justice with spying for Saudi Arabia inside the company put a fresh spotlight on a problem few businesspeople think about as they tweet, “friend” and message away on the internet: Social media is crawling with spies.
And the biggest target, according to some experts, isn’t the flashy Twitter – it’s the button-downed site LinkedIn, which is owned by Microsoft.
Current and former law enforcement officials contacted by CNBC argue that LinkedIn’s unique combination of professional information and implicit promise of financial gain makes it the perfect place for foreign intelligence services to troll for corporate insiders willing to spill intellectual property for money, or for U.S. government employees who have grown disgruntled in their jobs.
LinkedIn, they say, is likely being targeted by foreign agents looking to infiltrate the company physically as well as by spies looking to use phony LinkedIn accounts to connect with sources.
“If you’re a foreign intelligence agency, LinkedIn is a gold mine, because you can get friends, followers, family — and people’s rank inside companies,” said Clint Watts, a former FBI special agent and senior fellow at the Center for Cyber and Homeland Security at George Washington University. “There are more secrets in Silicon Valley than there are in Washington, D.C.”
Former FBI counterintelligence operative Eric O’Neill agrees. To spies, he said, “LinkedIn is interesting — you can use it to find out a lot of corporate information without even hacking.”
O’Neill, who played a key role in bringing down the FBI mole Robert Hanssen for spying on behalf of the Soviet Union, said Chinese intelligence agents have been among the most aggressive users of LinkedIn. “Data is the currency of our lives, and companies have all the data.”
Current government officials have gone public with warnings about Chinese espionage on LinkedIn. In August, William Evanina, director of the National Counterintelligence and Security Center, told The New York Times that China’s spies are operating on a mass scale. “Instead of dispatching spies to the U.S. to recruit a single target,” he said, “it’s more efficient to sit behind a computer in China and send out friend requests to thousands of targets using fake profiles.”
A Department of Justice official told CNBC that the Chinese recruitment efforts have been paying dividends for Beijing. “Of the recent U.S. intelligence officers who’ve flipped and gone to work for the Chinese, some of them were recruited by LinkedIn,” he said.
The problem, the official said, is that government officials, who are themselves looking to network and find higher paying jobs with more responsibility, put detailed accounts of their careers on the site — which can give the Chinese and others a road map of exactly whom to approach.
“It’s a site where people put up all their former security clearances and where they used to work,” the official said. “People ought to be a first line of defense for themselves and not post things on there that they wouldn’t tell directly to a foreign intelligence service.”
The good news for the U.S. government, the official said, is that LinkedIn is aware of the problem, and working to solve it. “We’ve talked to them about it, and they’re very responsive,” he said. “They’re very forward leaning on supporting lawful process.”
LinkedIn said it has been working on the problem for years.
“We actively seek out signs of state sponsored activity on the platform and quickly take action against bad actors in order to protect our members,” Paul Rockwell, LinkedIn’s head of Trust & Safety, said in a statement to CNBC. “We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources including government agencies.”
Rockwell said the creation of a fake account or fraudulent activity with an “intent to mislead or lie to our members” is a violation of the company’s terms of service.
Between January and June, LinkedIn says it took action against 21.6 million fake accounts and that it stopped the vast majority at registration, before they ever went live on LinkedIn. The company says it restricted 2 million fake accounts before members reported them, and 67,000 afterward. LinkedIn says it did so by pairing human review with artificial intelligence and machine learning.
It is difficult to say how many of those millions of accounts were created by foreign spies, but clearly some of them were. In 2018, the company said, it restricted 24 fake profiles it suspected were created by Russian “nation-state actors” that were engaged in sharing “politically divisive content from both ends of the U.S. political spectrum.”
All it takes is one
It takes just one persuasive account to do damage to a targeted company or government agency.
As far back as 2015, the cybersecurity company Secureworks reported that an Iran-based threat group it called TG-2889 was operating a network of fake LinkedIn profiles. The Iranians, apparently, had gone to a great deal of trouble. The firm said 25 fake LinkedIn accounts it discovered fell into two categories: fully developed personas, which it called “leaders,” and supporting personas it called “supporters.”
Profiles for the leader personas include full educational histories, current and previous job descriptions, and sometimes, vocational qualifications and LinkedIn group memberships. Of the eight leader personas that were found, six had more than 500 connections.
Why go through all that trouble making fake networking contacts? Because it works. Watts said he knows of a major bank that discovered its CEO had five separate profiles on LinkedIn. But the CEO himself hadn’t created any of them. Watts concluded that intelligence agents were using the fake CEO personas to connect with people the executive knew, and draw intelligence about the bank out of those real executives using direct messages from their phony boss.
O’Neill recalls an incident in which a company hired a cybersecurity firm as a “red team” to hack into its systems and detect vulnerabilities.
Instead of a blunt-force hack, the consultants simply went to a nearby Hooters restaurant and signed up a waitress as an accomplice with a nondisclosure agreement. Using photos of the waitress in various professional outfits, they created a fake LinkedIn account for a person they called “Emily Williams,” who was not only beautiful, but brilliant – a software expert with a master’s degree from MIT and an undergraduate degree from the University of Texas.
Once the account amassed enough contacts on LinkedIn, O’Neill said, the consultants changed the name of her purported employer to the target company. They then sent e-greeting cards at Christmas time to a large group of the company’s senior executives. O’Neill says everyone targeted opened the link — activating hidden malware — except for the company’s chief of security.
It’s one thing to take on fake MIT graduates from Hooters, but it’s quite another to be dealing with sophisticated and well-financed foreign intelligence services. That’s why many in the industry worry that companies will simply throw up their hands at the threat and not spend money trying to defeat an enemy that will never go away.
O’Neill said of the companies he deals with “some of them have said, ‘its not our job to stop this, we pay taxes to the government to solve it. You guys figure it out.’ But the danger is the government will solve it with regulation, and that’s a worry because it depends on the government.”
Glenn Chisholm, CEO of Obsidian Security in Newport Beach, California, said all of the social media companies are being attacked, and LinkedIn no more so than the rest.
But he believes all of them need to be able to go toe to toe with the foreign spies.
“It is a cost of doing business to combat nation-state intelligence agencies,” he said. “If you’re a Google or a Facebook, you can’t say you’re hopelessly outgunned. You have the smartest people and enormous resources.”