There have been growing warnings in recent years about the risks of professional networks being used for espionage.  In 2018, in an interview with a news media organization the United States’ top counterintelligence official stated that China was aggressively using the LinkedIn platform in an attempt to recruit Americans with access to valuable sensitive government and commercial data.  Similarly at the time, both British and German authorities had issued similar warnings.  Fast forward to today, and little has changed.  In a recent interview with a prominent U.S. television media outlet with the directors from the “Five Eyes” – the intelligence alliance between the United States, United Kingdom, Canada, Australia, and New Zealand – cited how China exploits professional social networks to cultivate relationships in order to facilitate the theft of sensitive information. In fact, every indication is that more governments are finding value in leveraging these platforms for spying purposes, a disconcerting turn of events given that such platforms are meant to encourage interaction among global professionals.  The following examples are just some samples that show this increasing trend.

United Kingdom.  According to October 2023 reporting, an estimated 20,000 Britons have been approached by Chinese intelligence via LinkedIn with the purpose of stealing sensitive industrial or technology information.  The head of MI5 cited that individual working in artificial intelligence, quantum computing, or synthetic biology were especially at risk, though the spying activity extended beyond government or military secrets.  Some targets were enticed with trips to China for speaking engagements.  The MI5 head cited this platform as a primary attack vector, noting that of the 20,000 cases were executed via this online approach, nearly double from the agency observed in 2021.

Canada.  In June 2023, the Canadian Security Intelligence Service (CSIS) issued a warning via social media over the potential recruitment of “high value” Canadians via LinkedIn and other professional social media platforms.  The agency identified that China was using intelligence “proxies” – human resource workers or job recruiters – to approach potential individuals of interest and develop a professional engagement before moving conversations to more secure channels of communication like WhatsApp.  Targeted individuals are offered consultation opportunities where these individuals would be provided compensation in exchange for reports in the hopes of finding sensitive information.  Ultimate clients of these reports were Chinese intelligence officers, per the CSIS.

Netherlands.  In February 2022, the Dutch General Intelligence and Security Service (AIVD) acknowledged that thousands of employees at Dutch high tech companies had been consistently approached by Chinese and Russian intelligence personnel in an attempt to steal sensitive company secrets.  Approaches were made via fake accounts on LinkedIn, the largest global professional network, appearing to be colleagues in the science and engineering fields, or else as recruiters.  Per AIVD, once first contacted, the relationship quickly progressed citing the targeted individual’s expertise and knowledge as entry into collaboration.

But to say that China is alone is presenting an incomplete picture of a more serious problem.  Several other governments have been identified in exploiting professional social media platforms in similar ways and for similar purposes.  For example, North Korea cyber-enabled activity has primarily focused on the theft of money and its exploitation of professional social media is no different.  North Korean actors have used these sources in an effort to facilitate its financial crimes, targeting individuals on these platforms with jobs ads and asking them to download a weaponized attachment.  Iran has also been active in this arena, executing phishing campaigns targeting individuals of interest via professional social media platforms with malware embedded attachments to install backdoors, and steal data and credentials.  Often, Iranian actors would entice targets via fake profiles to join professional communities to develop relationships under the guise of participating in closed groups.

There have been several alerts to this type of activity for several years; however, despite the warnings the activity only seems to be increasing.  Two factors may be keys to why it continues to promulgate.  In order to be effective in an era of globalization, professional networks need to have an international reach and audience.  Per its own website, LinkedInstates that it has more than 950 million members in more than 200 countries and territories.  That certainly satisfies the coverage requirement for spying knowing that there are likely individuals that can be targeted in industries of interest in any country.  Secondly, the very nature of a globalized market is that people are engaging with foreign counterparts constantly.  What’s more, in several if not many instances, the idea behind professional social networks is to link people together in different regions of the world, whom they may not know, but whose engagement could yield substantive successful and productive relationships.  So, being contacted by someone that is not immediately known is not a strange occurrence.  This normalizes the cold-call approach often linked to intelligence recruitment.  When working on a global issue like cybersecurity, being able to discuss and collaborate with foreign counterparts can provide more insight and understanding to an issue that otherwise might not benefit from the exchange of diverse cultural viewpoints and ideas.

In order to combat this growing threat, there have been calls for professional social networking platforms to vigorously police its offerings and remove fake and questionable profiles and accounts like Twitter and Facebook have been doing.  LinkedIn has stepped up efforts for identifying and neutralizing fake profiles.  Per the platform’s Community Report, during the second half of 2022, approximately 58 million profiles were removed by LinkedIn with 84% blocked at the registration stage, and 12% requiring manual investigation.  LinkedIn members reported others as well.  This is a significant accomplishment, but like any game of whack-a-mole, does not deter the activity as much as force the bad guys to change what and how they are doing it, and only if these efforts are making a noticeable impact against their spying.  In the future, one wonders if they will not spend more time “legitimizing” accounts, creating trackable digital footprints, and establishing bona fides to instill more confidence. 

In an era of disinformation/misinformation, the best defense rests with individuals being better discerners of who and what is presented to them.  The same applies to being more rigorous scrutinizers of who reaches out to them in professional networks.  As with dis- and misinformation, everyone is susceptible to falling victim to polished, deceptive approaches, requiring a constant state of alert, and a respectful amount of skepticism.  Being able to confirm the authenticity of individuals via trusted parties and/or independent research will go far in reducing the potential impact that could affect themselves and any organization associated with them.  And this is a form of cyber resilience that people can do on their own and whose success could have far more favorable results beyond just their own security.