Chris Kubecka has spent her career defending against cybercriminals — but her closest encounter with a nation-state hacker group came in the form of an unexpected job offer on LinkedIn.
Kubecka, an American security researcher, was living in the Netherlands in late 2017 when she received a LinkedIn connection request, followed by a message, “out of the blue” from an Iranian official.
Kubecka didn’t realize that her response to the LinkedIn message would kick off a yearslong campaign to recruit her as a hacker-for-hire and later — after Kubecka rebuffed those requests — to try to track down her physical location and intimidate her.
The episode, which Kubecka has briefly recounted at past security conferences, shows the tactics that nation-state hacker groups may use to track down and contact persons of interest through initially banal messages on social media platforms — as well as the lengths they’re willing to go to in order to extract valuable information and expertise from seasoned researchers.
A LinkedIn spokesperson told Insider that the site’s rules prohibit recruiting people to carry out illegal activities like hacking or violating international sanctions. LinkedIn’s threat intelligence team regularly removes accounts that violate its policies “using information we uncover and intelligence from a variety of sources including government agencies,” the spokesperson added.
The firm did not, however, directly comment on Kubecka’s case, which shows how a seemingly innocuous message that slips through the cracks can snowball into something far greater.
“Already a bit dodgy and getting dodgier”
The LinkedIn connection request came from a man named Salman Joudaki, and once Kubecka accepted, he explained that he worked with the Telecommunication Company of Iran, the state-run organization overseeing the Iranian airwaves. Joudaki said he wanted to hire Kubecka to give cybersecurity training to agency employees.
“In essence, what he was trying to do was to recruit me,” she told Insider.
That initial request wasn’t particularly remarkable. Kubecka had contracted with the government in the Netherlands as well as other agencies, like advising the UK’s Centers for Protection of National Infrastructure and assisting Saudi Aramco’s response to Iranian “Shamoon” wiper malware. Her only hesitation stemmed from existing sanctions against Iran by the US and United Nations.
“I voiced skepticism because even though it was a plain vanilla type of thing, you work for the Iranian telecom,” Kubecka recalled. “I like training gigs when they pay well, but not when they put me in jail.”
But Joudaki was persistent. He asked to move their conversation to WhatsApp — one of the few encrypted messaging apps that are legal in Iran — and made increasingly generous offers. He would fly Kubecka to Iran all-expenses-paid, he said, and provide a salary of 100,000 Euros per month for her training.
At the time, Kubecka was in and out of the hospital as she battled a fungal infection, but Joudaki demonstrated a level of patience that she found odd. He continued to send her messages over the course of nearly two years during her recovery.
“Under normal business circumstances, if a person can’t do business, raises reservations, and then has long absences, you don’t usually keep that burgeoning business relationship going,” Kubecka said. “He would do things like periodically send me well-wishes to make sure that I was okay.”
The first inkling that Joudaki wanted to hire Kubecka for illegal espionage came during a WhatsApp call in 2018. Joudaki asked her increasingly detailed questions about her past work with Saudi Aramco and asked if she could provide a training course on hacking critical infrastructure, with a focus on nuclear facilities. Years prior, Saudi Aramco suffered a sprawling cyberattack that US intelligence officials later attributed to Iran.
“This was already a bit dodgy and was getting dodgier,” Kubecka said.
State-run hacking groups are increasingly willing to pour money into efforts to lure top hacking talent from other countries. Kubecka refers to it as the United Arab Emirates model: “If you don’t have the hackers you need, buy the hackers you want.”
And as Kubecka’s experience demonstrates, hack-for-hire recruitment isn’t limited to dark web forums: It can begin in plain sight on public social media networks. The Iranian Ministry of Foreign Affairs didn’t respond to Insider’s request for comment.
Kubecka contacted the FBI shortly after the call to report the extent of her interactions with Joudaki — first through a contact, and then through a tip line — but said she never heard back, remarking that “it’s a black hole of what they do with that information.”
Now eager to shut off communication with Joudaki, she sent him a final WhatsApp message saying she would be unable to work with the Iranian telecom unit due to new, stricter sanctions against Iran imposed in 2018. Joudaki quickly replied that “many EU companies” were working with his agency despite the sanctions, “of course not directly.”
“I got a little peeved at what I perceived as bullying and illegal bribery attempts and espionage,” she said.
After that, she began sharing her story publicly. She recounted the episode during the AppSec California conference in 2018, including some screenshots of her messages with Joudaki in her presentation. Then in January 2019, while at a friend’s retirement party, she received a WhatsApp message that stopped her cold.
“Wishing you a happy New Year and hope you’re feeling better,” the message from Joudaki read. “What is your home address, so I can send you a gift?”
‘Don’t contact this person ever again’
Kubecka relayed the message to an acquaintance working in law enforcement, who reacted with alarm and put her in contact with an FBI agent. For the first time, Kubecka was able to disclose the full episode to the FBI with the assurance that her report was being received.
“I gave them everything I had. And they told me don’t contact this person ever again, for my own safety,” she said.
About a month later, Kubecka’s personal information — including her home address in the Netherlands — was posted to several European websites frequented by religious extremists that described her as an enemy of the Iran. No physical threats to her wellbeing ever materialized, but she says she was shaken by the messages given recent reports at the time of Iran hiring hitmen to kill dissidents in the Netherlands.
But in the wake of the incident, Kubecka says she resolved to get revenge against the Iranian telecom. She found inspiration in a report that a recent law in Iran required government surveillance cameras to be installed in public spaces.
Kubecka — who is now a distinguished chair at the Middle East Institute and CEO of her own firm, HypaSec — decided to put her experience hacking internet of things devices to use. She found where tens of thousands of those camera feeds were hosted and discovered that many of them had default admin credentials, making them easy to access. She turned over her findings to intelligence officials in the EU and US in July of 2019.
“I figured, if you’re going to f— with me, I will turn your surveillance apparatus against you,” she said. “As I like to say, revenge is best served over IoT.”