A recent phishing campaign by North Korean nation-state hackers successfully duped a number of security professionals who were involved in vulnerability research and development, according to a new report from Google’s Threat Analysis Group.
The unnamed threat group used various social engineering tactics to pose as fellow “white hat” security specialists, ensnaring the unsuspecting experts by convincing them that they were looking to collaborate on research, the TAG report shows.
The biggest part of this ruse involved the creation of a fake research blog, replete with write-ups and analysis. The hackers even lured in unsuspecting “guest” security writers to contribute, in an apparent “attempt to build additional credibility.” They also posted YouTube videos via social media in which they deconstructed “fake exploits” that they had executed—another scheme to build trust.
A number of threat researchers spoke out on Twitter Monday night, claiming they had been targeted by the campaign.
The hackers loaded their blog with malware, in an attempt to compromise researchers who visited it. Clicking on a write-up hosted on the site delivered malware and created a backdoor that would “begin beaconing” (i.e., communicating) with the hacker group’s command and control server. Zero-day vulnerabilities were likely used in this campaign, as a majority of targeted individuals were running fully patched Chrome browser and Windows 10 versions, the report notes.
Other methods of malware deployment occurred through “collaboration” on research. The report states:
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”
A variety of tools were used to aid in the threat group’s deception —including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, and others. In their report, TAG researchers listed the URLs for a number of now-defunct social media and Linkedin accounts that they say were used in the hack.
“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” TAG researchers wrote.
The researchers say they have not yet discovered the “mechanism of compromise” the hackers used against targeted security researchers, “but we welcome any information others might have.”