Google reveals North Korea-backed campaign targeting security researchers

by

Google’s Threat Analysis Group has identified an ongoing campaign that targets security researchers working on vulnerabilities in recent months. The team claims that “a government-backed entity based in North Korea” is behind the attacks, which typically use social engineering to engage victims. In a post detailing the campaign, Adam Weidemann from TAG explained that bad actors would go a long way to gaining the victims’ trust, especially by posing as researchers.

They built their own research blogs and filled them with vulnerability analyzes that had been publicly disclosed to appear legitimate. Evildoers also maintained Twitter accounts to post videos of the alleged exploits and reach as many people as possible. In at least one case, Google found one of the Twitter accounts defending a video that the wrongdoers posted on YouTube containing an exploit that turned out to be fake.

Google’s TAG team said the attackers contacted their intended victims, asking them to collaborate on the vulnerability research. In addition to Twitter, they also used LinkedIn, Telegram, Discord, Keybase and e-mail to reach their targets, sending them a Microsoft Visual Studio project with malware to enter their systems. In some cases, the victims’ computers were compromised after visiting a criminal’s blog after following a link on Twitter. Both methods led to the installation of a back door on the victims’ computers that connected them to a command and control server controlled by the attacker.

Victims’ systems were compromised while running Windows 10 and Chrome browsers fully fixed and updated. The Google TAG team has only seen attackers targeting Windows systems, so far, but it still cannot confirm “the compromise mechanism” and is encouraging researchers to send Chrome vulnerabilities to its bug reward program. The team also listed all sites controlled by actors and accounts that it identified as part of the campaign.

Source