Google Reveals North Korea's Security Researcher-Targeting Campaign

1 month ago 63

The hackers have been posing as fellow researchers to gain trust.

January 26, 2021

Google Reveals North Korea's Security Researcher-Targeting Campaign

A North Korean government-backed campaign has been targeting security researchers around the world for months, as revealed Google's Threat Analysis Group (TAG).

It turns out the researchers were targeted as they work on vulnerability research and development at different companies and organizations, and that the bad actors mostly posed as researchers themselves to gain their trust. 


To gain credibility, the bad actors created their own research blogs, and profiles on Twitter, LinkedIn, Telegram, Discord, Keybase, and email. They would then reach out to the researchers and send links to their fake blogs, which were filled with analysis of vulnerabilites that had publicly been shared so as to look legitimate, explained TAG.

Once communication was open and trust was gained, the bad actors would ask to collaborate on a vulnerability research project together. Then, they would send their victims a Microsoft Visual Studio Project with malware that enabled them to gain entry to the researchers' systems.

At other times, some of the researchers' systems were compromised after clicking on a link provided by the bad actor. Both methods enabled the bad actors to gain backdoor access to the researchers' computers.

As TAG discovered, the victims' computers were compromised as they ran fully patched and up-to-date Windows 10 and Chrome browsers, and TAG has only seen the Windows' system attacks so far. 

The TAG team has listed some of the attackers' accounts and websites it has found, and some victims of these attacks have posted warnings on platforms such as Twitter, as can be seen below: 

Here’s their first contact.. Twitter has deleted the acct but they just said “hi” and “hello” to prompt the first two messages and then asked if I can do Windows kernel exploitation

— Richard Johnson (@richinseattle) January 26, 2021

Hi @ShaneHuntley see my thread, z0x55g targeted me and is currently still active on Telegram under user kw0dem. I can provide the .suo sample if it will help

— Richard Johnson (@richinseattle) January 26, 2021

And Shane Huntley from Google has been warning researchers via Twitter: 

In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog.
The victim systems were running fully patched and up-to-date Windows 10 and Chrome

— Shane Huntley (@ShaneHuntley) January 26, 2021
North Korea's Capital Pyongyang's Architecture Explained North Korea May Be Training Dolphins for Its Navy Northrop Grumman Successfully Tests Its New Solid Rocket Motor NASA Starts Flight Testing Campaign With eVTOL Makers to Deliver Flying Taxis
Read Entire Article