A Chinese spy used LinkedIn to target thousands of British officials and attempt to mine secrets, according to a report.
The investigation, published in The Times, suggests an intelligence officer for Beijing’s main spy agency used aliases on the platform, which is the world’s biggest professional networking site, to try to bribe civil servants and officials working in the military and technology to pass on sensitive information.
MI5 chiefs have previously warned China is using espionage to target the UK’s tech and research sectors in an attempt to eat into the country’s commercial advantages.
LinkedIn, which has more than 900 million users worldwide, has come under fire for the lack of security checks users must undergo before setting up an account.
Last year, the platform introduced a feature that allows users to check when someone else’s profile was created and last updated as a way of identifying fake accounts.
But users can still affiliate themselves with a company without having to prove they have worked there.
This allows operators of phishing scams to claim they work at a legitimate organisation in an attempt to fool victims into believing they are a colleague or a business contact.
‘We are under attack’
Glenn Buff, a cybersecurity expert and member of the all-party parliamentary group on cybersecurity, said he would like to see LinkedIn do more about how the company verifies accounts.
“We are under attack and it’s very difficult for businesses to admit that to their shareholders,” he said.
“The attacks are more significant for some companies than for others. For some, this is thousands of attacks a day.
“If China were to do something we didn’t like, the limits of what we could do in terms of sanctions make it extremely difficult for us, so we need to be more honest about the kind of attacks we are experiencing.
“A lot of them originate from Russia and China.”
Chinese spy balloon gathered US intel
Russian agent worked inside British embassy
Employer checks ‘may not work’
Setting up a thorough method of proof would require LinkedIn to be in contact with every firm referenced as an employer.
Creating such checks may not work with the way LinkedIn is used, according to Jen Ellis, a member of the government’s cybersecurity advisory board.
“You can fraudulently associate yourself with an identity, but creating checks is very resource intensive and may not work,” she said.
“You need to have some contact with that organisation, so how do you make it work in real time with the level of employee churn [recorded on the platform]?”
She said a more effective method is for employees working in sensitive roles to receive thorough training on how to behave online and independently verify contacts made through social media platforms.
A spokesperson for LinkedIn said its staff scan the site for evidence of spying.
“Creating a fake account is a clear violation of our terms of service,” they said.
“Our threat prevention and defence team actively seeks out signs of state-sponsored activity and removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.”