Google: North Korea is targeting security researchers

Hackers have created a fake security research blog they use to start conversations with legitimate cybersecurity professionals

State-sponsored actors in North Korea have been using social engineering attacks to target security researchers working at private firms and government organisations worldwide.

The warning comes from Google's Threat Analysis Group (TAG) team, which says this particular campaign has been ongoing for the past several months, and appears to be exploiting unpatched vulnerabilities in Windows 10 and Chrome.

In many cases, researchers' systems were infected after simply visiting websites controlled by hackers, even when the targeted systems were running the latest versions of Microsoft's OS and Google's browser.

TAG says the hackers pretend to be cybersecurity bloggers, in an attempt to interact with potential targets and gain their trust. They established a research blog that specifically focused on write-ups of previously uncovered vulnerabilities, with 'guests posts' using the bylines of legitimate security researchers.

Similarly they created multiple Twitter accounts, which were used to share links to their write-ups and videos of the exploits they 'found'. The group used other Twitter accounts they controlled to retweet their own posts.

On 14^th January, the hackers posted a video on YouTube that claimed to exploit CVE-2021-1647, a vulnerability Microsoft recently patched in Windows Defender .

After the video was identified as fake by many YouTube users, the threat group used another Twitter account to retweet the video and to (totally convincingly) claim it was "not a fake".

The hackers used multiple platforms to communicate with potential targets, including Twitter, Telegram, LinkedIn, Keybase, Discord and email.

After establishing initial communications, the state actors would ask if the target wanted to team up on vulnerability research. They would hen send a Visual Studio Project (for exploiting security bugs) and a DLL file to targets.

This malicious DLL file eventually established communication with actor-controlled C2 domains and sent sensitive information from the infected system to the hackers.

Google's TAG team listed specific hacker accounts in its write-up and advised people who have interacted with these accounts in the past to scan their systems for any signs of compromise.

"If you are concerned that you are being targeted, we recommend that you compartmentalise your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research," Google TAG team said.

The campaign appears to be the latest attempt by the North Korea-backed threat groups to target prominent individuals and institutions in foreign countries.

In August last year, the USA's FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned in a joint alert of remote access Trojan (RAT), dubbed BLINDINGCAN, created by North Korean cyber actors and attempting to target American government contractors in the defence sector.

In October, US agencies also published an advisory to warn organisations of North Korea's Kimsuky threat group, which was running cyber campaigns to collect sensitive information on various topics of interest to the regime.