A group of North Korean hackers is attempting to compromise cybersecurity researchers through an intricate campaign, including a bogus cybersecurity blog and fake Twitter accounts, according to Google’s Threat Analysis Group.
TAG claims that the hacking group is backed by the North Korean government and is using a combination of a “novel” social engineering campaign and malware to target cybersecurity researchers in other parts of the world, according to a Jan. 25 blog post.
During its attempts to bill itself as a legitimate cybersecurity research organization, the hacking group invites researchers to collaborate through Visual Studio, a Microsoft development environment. The shared Visual Studio code contains malware, TAG said.
Malware is also hosted on the hacking group’s fake cybersecurity blog, TAG said. The blog “contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,” TAG’s Adam Weidemann wrote.
The hacking group has communicated with security researchers using several methods, including Twitter, LinkedIn, Telegram, Discord, and email, TAG said.
It’s unclear what information the hacking group is looking for, but TAG warned security researchers to be careful.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties, and your own security research,” TAG recommended.
In this case, it appears the North Korean hackers are looking for new information about vulnerabilities and other cybersecurity issues, said Dirk Schrader, global vice president at New Net Technologies, a provider of cybersecurity and compliance software.
“If it would have been more successful — we don’t know yet how many researchers actually got caught — the [hacking] group likely would have garnered valuable info and would have provided itself a head start when it is about exploiting the vulnerabilities discovered by those researchers,” he told the Washington Examiner.
In many cases, security researchers first inform software vendors of vulnerabilities and fix bugs before disclosing them to the public. This would allow the North Korean hackers to “leap forward in their capabilities to attack networks and systems.”
Other security experts said this attack was particularly bold.
“While there’s a vibrant cybersecurity community with good intentions to share ideas and material, it’s well known that people with different intents can show up occasionally,” said Andrea Carcano, co-founder of Nozomi Networks, a cybersecurity firm. “What’s new about the attack documented by Google TAG is the boldness of this threat actor and its willingness to risk sophisticated zero-day exploits to target researchers.”
In some cases, a security researcher will analyze the code shared by the hacking group, Carcano told the Washington Examiner. However, he added that the “scariest” part of the campaign is the malware delivered when researchers visit websites with technical documentation.
“It’s plausible sometimes to use a development machine to browse that sort of website and thus give access to the latest finding to the attacker,” he said.
North Korean hackers are well trained and often conduct Cadeep research on their targets, added Jim Angleton, president of Aegis FinServ, a banking and government consulting firm with a cybersecurity division. Personal contacts with targets are often the first step toward larger attacks, Angleton told the Washington Examiner.
He said this new attack appears to be part of a more considerable effort targeting executives and professionals working from home.
These times of multilevel attacks are the future, he added. In some cases, North Korean hacking groups hire United States residents and Europeans to “send spam messages” using the native languages of the targets.
