Google’s Threat Analysis Group has identified an ongoing campaign that’s been targeting security researchers working on vulnerabilities over the past few months. The team says “a government-backed entity based in North Korea” is behind the attacks, which typically use social engineering to engage the victims. In a post detailing the campaign, TAG’s Adam Weidemann explained that the bad actors would go to great lengths to gain the victims’ trust, mostly by posing as researchers themselves.
They’d build their own research blogs and fill them with analysis of vulnerabilities that had been publicly disclosed to make themselves look legitimate. The bad actors also maintained Twitter accounts to post videos of their claimed exploits and to reach as many people as possible. In at least one instance, Google found one of the Twitter accounts defending a video the bad actors posted on YouTube containing an exploit that turned out to be fake.
Google’s TAG team said the attackers contacted their intended victims, asking to collaborate on vulnerability research. Aside from Twitter, they also used LinkedIn, Telegram, Discord, Keybase and email to reach out to their targets, sending them a Microsoft Visual Studio Project with malware to gain entry to their systems. In some cases, victims’ computers were compromised after visiting a bad actor’s blog after following a link on Twitter. Both methods led to the installation of a backdoor on the victims’ computers that connected them to an attacker-controlled command and control server.
These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email. We are providing a list of known accounts and IOCs in the blog post.— Shane Huntley (@ShaneHuntley) January 26, 2021
The victims’ systems were compromised while running fully patched and up-to-date Windows 10 and Chrome browsers. Google’s TAG Team has only seen the attackers targeting Windows systems, thus far, but it still can’t confirm “the mechanism of compromise” and is encouraging researchers to submit Chrome vulnerabilities to its bug bounty program. The team has also listed all the actor-controlled websites and accounts it has identified as part of the campaign.
Here’s their first contact.. Twitter has deleted the acct but they just said “hi” and “hello” to prompt the first two messages and then asked if I can do Windows kernel exploitation pic.twitter.com/VJmo4yzPoC— Richard Johnson (@richinseattle) January 26, 2021