Fake job listings help suspected Iranian hackers aim at targets in Lebanon

They're using fake job documents to target victims.
Iranian flag
(Getty Images)

Suspected Iranian hackers have zeroed-in on a target in Lebanon, according to Check Point research published Thursday.

Researchers caught attackers sending an unidentified Lebanese target documents that purported to contain details about job opportunities. If accessed in certain ways, those documents would deploy malware against victims. One such document imitated Ntiva IT, a consulting firm based in Virginia, Check Point said.

In order to be infected, targets would have needed to enable macros on the documents, triggering a process that launches malware every five minutes.

The hackers, which Check Point suspects belong to a hacking group known as APT34 or OilRig, have been using a new backdoor to access their targets, according to the researchers. APT34, which researchers say has been operating since 2014, is believed to frequently rely on decoy job opportunities to trap targets in their campaigns.


The group used LinkedIn in 2019 to go after espionage targets with fake job opportunities, according to FireEye research, for instance. In one other campaign, known as DNSpionage, hackers went after Lebanese and United Arab Emirates targets with websites containing fake job postings, according to Cisco Talos research. Talos researchers found a potential link between the DNSpionage hacking and the suspected Iranian hackers.

The hackers, which FireEye suspects has backing from the Iranian government, frequently aim to infiltrate governments in the Middle East, and organizations in the financial, government, energy and telecommunications sectors. Check Point did not providing identifying information about the apparent Lebanese targets.

Check Point attributes the latest campaign to APT34 due to similarities between this operation and previous APT34 schemes — including the macros, the backdoor, the approach to targets and other technical similarities, researchers note in blog on their findings.

In previous campaigns the attackers used imitation websites to conduct command-and-control communications, then gather data.

Check Point suggests that some of the differences in the campaigns are likely rooted in the fact that the hacking group’s tools were leaked in 2019, forcing APT34 to revamp its operations.


“Iran-backed APT34 shows no sign of slowing down, further pushing its political agenda in the middle-east, with an ongoing focus on Lebanon – using offensive cyber operations,” researchers noted.

The U.S. National Security Agency and the U.K.’s National Cyber Security Centre have been tracking the suspected Iranian cyber-espionage group’s activities for years. A two-year long investigation, which the NSA and NCSC jointly unveiled in 2019, showed Turla, a hacking group with links to Russian intelligence, was piggybacking on APT34’s hacking infrastructure.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts