IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Security researchers targeted by North Korean hackers

The social engineering campaign involves establishing a social media presence as well as a fake research blog

An ongoing campaign orchestrated by state-backed North Korean cyber criminals has been targeting security researchers investigating vulnerabilities as well as those working in security development.

Specific researchers are being targeted by a novel social engineering method, according to Google’s Threat Analysis Group, and lured into downloading a malicious payload. These efforts involve building a credible social media presence, creating a fabricated security blog, and then inviting legitimate security researchers to offer guest contributions.

“Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations," said the organisation's Adam Weidemann.

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.”

The North Korean hackers first established a security research blog and multiple Twitter profiles to interact with potential targets. They have been using these fake profiles to post links to fake research material, publish videos of claimed exploits and for amplifying the reach of other accounts they control.

Their blog also contains convincing write-ups of vulnerabilities that have been previously disclosed, including guest contributions from legitimate security researchers who’ve unwittingly offered their analysis. This is all so the hackers can build credibility when approaching their targets.

Google’s researchers found one example of a supposed exploit that was fake, with the hackers earlier this month posting fabricated proof they can exploit CVE-2021-1647, a recently-fixed Windows Defender flaw

After establishing communication with their targets, the hackers would ask the researcher whether they wanted to collaborate on vulnerability research together. They would then provide the researcher with a Visual Studio Project. 

Within this file would be source code for exploiting the vulnerability, as well as an additional malicious DLL that would be executed through Visual Studio Build Events. This malware would immediately begin communicating with the North Korean command and control server when activated.

Google’s researchers also found evidence of researchers being infected with malware after visiting the fake security research blog by following a link on Twitter to a security write-up. 

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

Shortly after clicking the link, a malicious service was installed on the researcher’s Window 10 system, and an in-memory backdoor began communicating with the command and control server.

The researchers have published a list of the known accounts the hackers have created, as well as aliases, on their blog detailing the campaign. These include multiple accounts on Twitter, LinkedIn, Telegram, Discord, Keybase and email. 

The Threat Analysis Group recommended that security researchers who are anxious they’re being targeted should use separate physical or virtual machines (VMs) for general web browsing, interacting with other researchers, and accepting files from third-parties.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022