Google has warned security researchers they are being targeted by an ongoing government-backed hacking campaign based in North Korea.
The tech giant said it uncovered several false social media profiles on platforms including Twitter and LinkedIn, where bad actors would lure targets to a fake blog featuring “guest” posts from unwitting legitimate security researchers.
According to Google’s Threat Analysis Group, attackers would then start talking to potential targets, asking if they would like to work together on cyber vulnerability research and use collaboration tools with hidden malware.
These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email. We are providing a list of known accounts and IOCs in the blog post.
“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.”
The North Korean hackers first established a security research blog and multiple Twitter profiles to interact with potential targets. They have been using these fake profiles to post links to fake research material, publish videos of claimed exploits and for amplifying the reach of other accounts they control.
Their blog also contains convincing write-ups of vulnerabilities that have been previously disclosed, including guest contributions from legitimate security researchers who’ve unwittingly offered their analysis. This is all so the hackers can build credibility when approaching their targets.
North Korean state attacks legitimate security researchers
Threat researchers specialising in vulnerability research and development appear to be being targeted by a North Korean state-backed group
Share this item with your network: By Published: 26 Jan 2021 14:30
An ongoing campaign targeting legitimate security researchers within the industry appears to be the work of a government-backed entity based in North Korea, according to a new report from Google’s Threat Analysis Group, which has been tracking the campaign for a few months.
The group members have spent time and effort building credibility as legitimate cyber security researchers themselves, setting up a research blog and using sock puppet Twitter profiles both to interact with their targets and amplify their own reach.