Russian and Chinese services use LinkedIn to target & recruit persons to spy on Dutch companies, says General Intelligence & Security Service (AIVD)

Thousands of employees at Dutch high-tech companies are systematically being approached by secret services from China and Russia who are trying to steal company secrets. This is done through fake accounts on LinkedIn, the largest business network in the world. The spies pose as fellow scientists or engineers. They also impersonate consultants or recruiters.

Dutch and other Western secret services are shocked by the number of successful contact attempts, in which people have ultimately been made to share sensitive information through blackmail or bribery. After the first contact via LinkedIn, the relationship is quickly made more “personal,” says Director Erik Akerboom of the General Intelligence and Security Service AIVD. The new contact acts flattering about your knowledge and expertise. ‘You get a request to translate something. After that, personal contact may follow at a conference.’

Awareness campaign

The scale and clout of the Russian and Chinese infiltration attempts have reached such proportions that the AIVD is sounding the alarm. Later this week, the service will launch a warning campaign via social media to make Dutch employees and officials aware of the dangers.

Last year, the Netherlands expelled two Russian spies from the country. They had enticed employees of several Dutch high-tech companies to sell information. The first contacts were made through LinkedIn, AIVD chief Erik Akerboom says to the FD. One of the Russians, who is an intelligence officer with the secret service SVR, created fake identities as a scientist, consultant and recruiter for this purpose. The AIVD would not say which companies were involved.

For years, China and Russia have been purposefully trying to get advanced technology into Western countries, including the Netherlands. This is done through company takeovers, but also through cyber attacks and classic espionage. The AIVD has previously warned that such attempts undermine the Dutch economy.

No ban

Dutch high-tech companies do not prohibit their employees from creating a profile on LinkedIn. ‘We do have protocols for the information people share on social networks,’ said a spokesperson for chip manufacturer NXP. ‘Everything an employee posts is legally checked.’ ASML, which is not allowed to sell its advanced chip machines to China because of an American boycott, does not prohibit activity on LinkedIn or other networks either. The company does make its employees aware of the risks.

Intelligence work by the AIVD shows that China and Russia are operating systematically, says Akerboom. Social networks like LinkedIn or Instagram are constantly being copied and stored in databases. They analyze them to get their sights on targets. They are dealing with people who have access to special technological knowledge. The data is combined with information acquired from outright hacks in their organization, looking for specific personal data.’

Potential targets are ‘ranked’, says the AIVD chief. The non-friendly services then look at the level of influence the potential targets have within their own organization, their position within a business network, and their access to important information. ‘The rankings determine which people they prioritize for their recruitment efforts.’

Fake recruitment agency

British and American intelligence agencies have previously warned against this type of espionage. Sometimes fake recruiting agencies are created. After initial contact via LinkedIn, a target is persuaded to drop by for an interview about a new job. By sharing confidential information about their current employer, the victim becomes vulnerable to blackmail. The Chinese secret service is said to focus mainly on expats who still have family in China. This makes them extra sensitive to pressure to share information.

The targeted spying via LinkedIn began in 2009, according to Cody Barrow, director of threat analysis at cybersecurity firm EclecticIQ in Amsterdam. Previously, he worked in the US as a ‘senior intelligence officer’ at the Department of Defense and the National Security Agency (NSA). ‘In that year I myself received my first LinkedIn request from an attractive woman I didn’t know. Once the spies become friends, and can read your full profile, they check if you use certain keywords. Or code words for software programs you work with.’

For example, if a spy were to read that an NSA employee works with the program Wrangler, the contact immediately becomes a higher priority for the spy. This is because it means that the employee is involved in gathering and analyzing information via satellite imagery.

Invites accepted carelessly

Barrow estimates that over the past ten years “many thousands of Dutch people” have received LinkedIn requests from Chinese spies. Requests are often accepted uncritically, especially if the requester already appears to share various contacts with the target. Moreover, many people are susceptible to flattering remarks. AIVD chief Akerboom says he is “not surprised” by the estimate of several thousand. Barrow thinks that half of these have also accepted a request.

Warning of such practices is a good thing in itself, but the AIVD itself should take much more proactive action against them, cyber security expert Ronald Prins believes. For example, the services could issue preventive warnings about an ongoing offensive. Or break into state-led hacker groups and share more knowledge. ‘So far, the service only comes into action when military applications are at stake. When are they going to make an effort for the economic security of the Netherlands?’

The AIVD has already expressed to the House of Representatives its desire for a broader mandate, to also defend commercial companies and ‘the earning capacity of the Netherlands’. The cabinet that took office last month allocated an extra €300 million for the security services in the coalition agreement, but there are no concrete plans yet about how this will be spent.

Response from LinkedIn

‘We actively look for signs of state-sponsored activity(s) on the platform and take swift action against actors with malicious intent to protect our members. We do not wait for requests for removal, our Threat Intelligence Team removes fake accounts using information we discover and information obtained from various sources, including government agencies. Creating a fake account or fraudulent activity with the intent to lie to or mislead our members is a violation of our terms of service.’