Espionage and LinkedIn: How Not to Be Recruited As a Spy

VP of Tactical Analysis, Stratfor
  • Intelligence agencies have always used open source intelligence to spot people with access to the programs or information they are attempting to collect. 
  • The internet provides such agencies with more open source information than ever; some sites, such as LinkedIn, are particularly useful for spotting people with access to desired information or technologies. 
  • By understanding how intelligence agencies use LinkedIn and other social media platforms, one can take steps to avoid or mitigate the threat.

The risk that hostile intelligence services will use LinkedIn as a recruitment tool has been widely reported. One such report, by Mika Aaltola at the Finnish Institute of International Affairs published in June 2019, focused on Chinese activity on LinkedIn. The phenomenon, however, is neither confined to Chinese intelligence operations nor limited to that particular social media platform. All intelligence agencies use similar exploits, as illustrated by the Iranian-linked hack of Deloitte in which a LinkedIn connection was used to gain an employee’s trust. Even so, the number of reported cases attributed to the Chinese — including those of former intelligence officers such as Kevin Mallory and corporate espionage cases such as one involving an engineer at GE Aviation— suggest their intelligence services are among the most active and aggressive users of LinkedIn as a recruitment tool.

The Big Picture

During the millennia that espionage has existed, its practitioners have often been among early adopters of new technologies, which they apply to their craft. The internet and social media have become important tools for intelligence agencies, not only in terms of information operations intended to spread propaganda and disinformation but also as a tool to enhance and expand the reach of their human intelligence efforts.

And this makes mitigating the threat critical, whether on LinkedIn or any other social media platform.

How Hostile Intelligence Agencies Use LinkedIn

Countering the threat coming through LinkedIn requires an understanding of how intelligence services use it in recruitment operations. This is best achieved by viewing the platform through the lens of the human intelligence recruitment cycle.

The recruitment process consists of three basic phases: spotting, developing and pitching. Each can be broken down into smaller steps, and there can be a great deal of variation in the process depending on the target and circumstances. But for our purposes, focusing on these three will suffice.

A flowchart showing the steps in the human intelligence recruitment process

In the spotting phase, intelligence officers list people with access to the desired information and rank them according to the odds of extracting it. Before the internet, intelligence officers who wanted to target someone, say, on team X at a given company working on technology Y or with access to program Z, might have to do some serious legwork. The steps might have included obtaining a company roster or using some other means to acquire the names of people working on a given project at a given company. In some cases, they might even have had to recruit an access agent inside the company to help. All this could take quite a bit of time and effort, and if not accomplished deftly, could trigger suspicions at the targeted company.

But in a world of social media, intelligence officers can use LinkedIn to acquire a list of employees at a particular company or agency with specific job titles in a matter of seconds. In many cases, employees list the specific projects or technologies they are working on, with some even helpfully providing their security clearance levels. While social media tools are not a guaranteed method for intelligence officers to build a comprehensive list of everyone with access to a program or technology, they can easily jump-start that process. By looking for co-workers of the people identified in the initial search, intelligence officers may then be able to add people who were not as explicit in their LinkedIn profiles to the potential target list.

Once an intelligence officer has compiled a list of potential targets, the next step would be to identify the best prospects for recruitment, and what approach would work best to win them over. Here, too, LinkedIn can be useful. Although the service is geared toward professionals — and is, in fact, more buttoned-down and formal than social media platforms such as Facebook or Instagram — its members typically share enough information to offer clues as to which recruitment pitch might work. For instance, those who constantly complement attractive people might be ripe for an approach involving seduction. In a similar fashion, those complaining about being unemployed or underemployed could be open to financial enticement; ones appearing unhappy at work could be open to recruitment out of malice; and those making posts looking for affirmation might respond well to a little ego-stroking.

In a world of social media, intelligence officers can use LinkedIn to acquire a list of current or former people at a particular company or agency with specific job titles in a matter of seconds.

This information facilitates reaching out and establishing contact with potential targets. And I do mean targets here, because conducting these operations electronically allows even a single officer to develop contacts with multiple targets before focusing more intently on the few that appear most receptive and promising — thus upping the odds of success.

The development stage of the recruitment process can progress quite differently depending on the ultimate objective. A spear phishing-type of operation like the one used in the Deloitte case would be developed differently than an operation that involved a bid to meet and recruit the source in person. But in either case, the ultimate objective of the development phase is to establish a relationship and build a degree of trust so the intelligence objective can be reached.

With regard to LinkedIn, we have noted numerous cases in which hostile intelligence agencies such as China’s develop a relationship with a target by posing as a think tank or university. Using that guise, the agency offers to pay the target to write a paper on a fairly innocuous topic, then invites her or him on an expense-paid trip to China to present it (This is a form of what is known as the “little hook” approach.) Once in China, the targets will be assessed more, and the relationship developed further with the intention of making a final recruitment pitch. In some cases, the intelligence agency will use documentation (such as videos) of past transactions between the intelligence officer and the target as a form of coercion, if needed. Once the target is officially recruited, he or she can be pressured to provide even more sensitive information. Although I specifically cite China here, all intelligence agencies use this same basic recruitment cycle, as do corporate intelligence actors.


Author: `