4 July 2019

Espionage and LinkedIn: How Not to Be Recruited As a Spy

By Scott Stewart

Intelligence agencies have always used open source intelligence to spot people with access to the programs or information they are attempting to collect. 

The internet provides such agencies with more open source information than ever; some sites, such as LinkedIn, are particularly useful for spotting people with access to desired information or technologies. 

By understanding how intelligence agencies use LinkedIn and other social media platforms, one can take steps to avoid or mitigate the threat.

The risk that hostile intelligence services will use LinkedIn as a recruitment tool has been widely reported. One such report, by Mika Aaltola at the Finnish Institute of International Affairs published in June 2019, focused on Chinese activity on LinkedIn. The phenomenon, however, is neither confined to Chinese intelligence operations nor limited to that particular social media platform. All intelligence agencies use similar exploits, as illustrated by the Iranian-linked hack of Deloitte in which a LinkedIn connection was used to gain an employee's trust. Even so, the number of reported cases attributed to the Chinese — including those of former intelligence officers such as Kevin Mallory and corporate espionage cases such as one involving an engineer at GE Aviation — suggest their intelligence services are among the most active and aggressive users of LinkedIn as a recruitment tool.

And this makes mitigating the threat critical, whether on LinkedIn or any other social media platform.

How Hostile Intelligence Agencies Use LinkedIn

Countering the threat coming through LinkedIn requires an understanding of how intelligence services use it in recruitment operations. This is best achieved by viewing the platform through the lens of the human intelligence recruitment cycle.

The recruitment process consists of three basic phases: spotting, developing and pitching. Each can be broken down into smaller steps, and there can be a great deal of variation in the process depending on the target and circumstances. But for our purposes, focusing on these three will suffice.


In the spotting phase, intelligence officers list people with access to the desired information and rank them according to the odds of extracting it. Before the internet, intelligence officers who wanted to target someone, say, on team X at a given company working on technology Y or with access to program Z, might have to do some serious legwork. The steps might have included obtaining a company roster or using some other means to acquire the names of people working on a given project at a given company. In some cases, they might even have had to recruit an access agent inside the company to help. All this could take quite a bit of time and effort, and if not accomplished deftly, could trigger suspicions at the targeted company.

But in a world of social media, intelligence officers can use LinkedIn to acquire a list of employees at a particular company or agency with specific job titles in a matter of seconds. In many cases, employees list the specific projects or technologies they are working on, with some even helpfully providing their security clearance levels. While social media tools are not a guaranteed method for intelligence officers to build a comprehensive list of everyone with access to a program or technology, they can easily jump-start that process. By looking for co-workers of the people identified in the initial search, intelligence officers may then be able to add people who were not as explicit in their LinkedIn profiles to the potential target list.

Once an intelligence officer has compiled a list of potential targets, the next step would be to identify the best prospects for recruitment, and what approach would work best to win them over. Here, too, LinkedIn can be useful. Although the service is geared toward professionals — and is, in fact, more buttoned-down and formal than social media platforms such as Facebook or Instagram — its members typically share enough information to offer clues as to which recruitment pitch might work. For instance, those who constantly complement attractive people might be ripe for an approach involving seduction. In a similar fashion, those complaining about being unemployed or underemployed could be open to financial enticement; ones appearing unhappy at work could be open to recruitment out of malice; and those making posts looking for affirmation might respond well to a little ego-stroking.

In a world of social media, intelligence officers can use LinkedIn to acquire a list of current or former people at a particular company or agency with specific job titles in a matter of seconds.

This information facilitates reaching out and establishing contact with potential targets. And I do mean targets here, because conducting these operations electronically allows even a single officer to develop contacts with multiple targets before focusing more intently on the few that appear most receptive and promising — thus upping the odds of success. 

The development stage of the recruitment process can progress quite differently depending on the ultimate objective. A spear phishing-type of operation like the one used in the Deloitte case would be developed differently than an operation that involved a bid to meet and recruit the source in person. But in either case, the ultimate objective of the development phase is to establish a relationship and build a degree of trust so the intelligence objective can be reached. 

With regard to LinkedIn, we have noted numerous cases in which hostile intelligence agencies such as China's develop a relationship with a target by posing as a think tank or university. Using that guise, the agency offers to pay the target to write a paper on a fairly innocuous topic, then invites her or him on an expense-paid trip to China to present it (This is a form of what is known as the "little hook" approach.) Once in China, the targets will be assessed more, and the relationship developed further with the intention of making a final recruitment pitch. In some cases, the intelligence agency will use documentation (such as videos) of past transactions between the intelligence officer and the target as a form of coercion, if needed. Once the target is officially recruited, he or she can be pressured to provide even more sensitive information. Although I specifically cite China here, all intelligence agencies use this same basic recruitment cycle, as do corporate intelligence actors. 

Dealing With the Threat

There are two basic approaches to dealing with a threat. One is risk avoidance and the other is risk mitigation. While risk avoidance is generally the safer course, in this case, it would mean simply not using LinkedIn or other social media. This is not always the most desirable outcome for businesses that encourage their employees to use their social media presence to promote the company and its work.

As with any threat, the first step to reducing the possibility of being recruited via LinkedIn is simply to recognize that the possibility exists. This awareness should help users realize that discretion is important when considering the information they post on LinkedIn — or any other social media platform, for that matter. Users should consider how what they are posting might appear to an adversarial intelligence officer, and how it could be used against them. 

A little restraint can go a long way toward reducing one's attractiveness as a target. If a person is working on a sensitive project or a technology likely of interest to a hostile actor, prudence dictates refraining from posting that information in a public forum. Posting details of sensitive projects for all the world to see is simply unwise, given the risk of drawing the attention of hostile intelligence officers.

LinkedIn users should consider how what they are posting might appear to an adversarial intelligence officer, and how it could be used against them. 

The second step is remaining skeptical of strangers who reach out on LinkedIn to ask to become a connection. Even greater skepticism is in order if the person reaching out has an attractive profile image or makes romantic overtures. It is also advisable to carefully review profiles of friends or co-workers who request to become connections to ensure that they are the real person, not an impostor. If a person who you accept as a connection begins messaging you in a way that seems too chatty or too flirty, or seems to be stroking your ego, your skepticism should increase even more. You should watch carefully for signs that may indicate that your connection is trying to build trust and develop a relationship with you as a potential recruit.

Other signs of a potential recruitment attempt could include offers to write a paper or for free travel to attend or present at a conference. Skeptically view offers from supposed employment recruiters who approach you about a job you have not applied for, a tactic frequently used by intelligence officers and common criminals alike. LinkedIn users should also recall that instead of a recruitment attempt, an intelligence officer may simply be trying to trick a user into opening malware. Because of the spear-phishing threat, users should exercise extreme caution when people they don't know well send email attachments or links. Even if the attachment is from a trusted source, be cautious if either you had not been expecting it or if something about it doesn't look quite right. Before opening or clicking, it's a good idea to call the sender to confirm they sent it. Unfortunately, of course, hackers have been known to assume control of LinkedIn accounts protected by weak passwords, using them to send attacks targeting the hacking victim's unsuspecting contacts. 

If you do suspect that someone is attempting to recruit you, I'd advise suspending all contact with the person — risk avoidance — and then reporting the suspected approach to the appropriate corporate or government security contact. Even though you spotted the recruitment attempt, you may not be the only target — and your co-workers may not be as savvy as you. Reporting such attempts can make others in your organization aware of the ongoing risk.

No comments: