• United States



Christopher Burgess
Contributing Writer

China’s MSS using LinkedIn against the U.S.

News Analysis
Aug 31, 20184 mins
CybercrimeSecuritySocial Engineering

The head of the U.S. National Counterintelligence and Security Center says China's MSS is using social networks, specifically LinkedIn, to target, access, and recruit U.S. sources.

The head of the U.S. National Counterintelligence and Security Center, William R. Evanina, in an interview with Reuters shared on Aug. 31, 2018, revealed that U.S. counterintelligence and law enforcement officials informed LinkedIn that the Chinese Ministry of State Security (MSS) was “super aggressive” on their site. The goal: to target, access, and recruit U.S. sources.

I hope Evanina also noted that water is wet.

The use of social networks by nation states, competitors, and criminal entities has been one of the primary routes to reaching out and touching targets of interest, often your trusted insider.

Thus, Evanina’s declaration is old news, but one that the U.S. intelligence and security community had their nose wiped in when the treasonous Kevin Patrick Mallory’s path to recruitment included having been contacted via LinkedIn by the MSS.

Indeed, Mallory himself used LinkedIn to fluff his importance in the eyes of the Chinese, baiting them, if you will, to look more attractive. Mallory had 500-plus connections on LinkedIn; perhaps you are one of those being highlighted to the MSS?

According to Mallory’s indictment and criminal complaint, he used LinkedIn to facilitate direct communication with individuals with knowledge and access to information of interest to the MSS — your trusted insider.

Social networks are a targeteer’s dream

This is not new news, though reminders need to be made. Let’s look at how LinkedIn and other social networks have been exploited for the purposes of engaging targets of interest.

First stop, the white hat effort that created Robin Sage, a fictitious persona that duped many members of the defense sector into maintaining contact and sharing information with “Robin.” This effort served to demonstrate how social networks can be used to lasso unsuspecting individuals into contact.

Germany’s warning

In 2017, the German BfV (internal security service) identified, publicized and neutralized eight fake Chinese LinkedIn profiles and three companies involved in targeting, accessing, and engaging German nationals in positions of interest to the MSS. Just how many individuals did the MSS target in Germany? According to the BfV, over 10,000 German citizens. In their most recent annual report, the BfV notes the counterintelligence threat posed by China via social networks, specifically LinkedIn.

Interestingly, it is the BfV that shares modus operandi with us regarding China’s MSS and their engagement via LinkedIn:

“Supposed scientists, job brokers, and headhunters make contacts with people who have a meaningful personal profile. They are lured with tempting offers and finally invited to China; there they are engaged by the Chinese intelligence apparatus.”

United Kingdom’s warning

In 2015, the United Kingdom’s MI-5 (internal security service) disseminated a memo to government entities warning that “foreign spies on LinkedIn are trying to recruit civil servants.”  

Dell Secure Works IDs fake LinkedIn accounts

In 2015, Dell uncovered 25 fake LinkedIn profiles that turned out to be Iranian sock puppets targeting entities of interest to the Iranian Ministry of Intelligence and Security (MOIS).

What’s available to nation states’ intelligence entities?

As we look back over the past 10 years, and begin to add up the compromised data sets that may be in the hands of nation states’ intelligence entities for the purpose of putting together targeting portfolios on your trusted insider, the picture is just plain ugly.

Let’s start with the low-hanging fruit. The OPM breach of 2015 provided the complete file on millions of individuals who have or had applied for U.S. government security clearance (excluding the U.S. intelligence community whose applicants were not included in the OPM database).

Couple that with the salacious information culled from the Ashley Madison breach. Throw in the information from the Internal Revenue Service breach, the various medical insurance and service provider breaches, and then the credit rating services, and you have a mountain of information to cross reference.

For this reason alone, one should be cautious when engaging with unknown individuals on social networks. As the cases of Mallory and Robin Sage evidence, individuals are connecting with people and harvesting their information on social networks.

As I have said numerous times, you don’t get to decide if you are the target. The targeting entity decides if you are of interest and then they go to work in the hopes of evolving a strategy to make you an offer you can’t refuse. 

Fair warning, you may be that next target.

Christopher Burgess
Contributing Writer

Christopher Burgess is a writer, speaker and commentator on security issues. He is a former senior security advisor to Cisco, and has also been a CEO/COO with various startups in the data and security spaces. He served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Cisco gave him a stetson and a bottle of single-barrel Jack upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit, Senior Online Safety.

More from this author