When the hunters become the hunted.
The threat of state-sponsored cyber hacking has become even more prevalent as a massive campaign by North Korean-linked hackers targeting security researchers working to keep us all safe has been uncovered.
Google’s Threat Analysis Group of researchers looking at how offensive cyberwarfare is waged announced on January 26 that they had identified a new campaign specifically aimed at those who work on vulnerability research and development. The campaign is notable not just for its targets – the people who usually keep us safe – but also for the way it works.
“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets.”
explained Adam Weidemann of Google’s Threat Analysis Group
The fake accounts on Twitter, which use names such as Billy Brown and BrownSec3 Labs, share links claiming they’ve identified exploits, and generally amplify each other across social media by resharing posts to gain credibility.
The idea behind the social engineering section of the campaign is to build up enough credibility for the completely fictitious people to assimilate into the small but dedicated community of vulnerability researchers, so no one questions their motives when they suggest working together – hiding a payload of malware.
It began with a blog
The blog that the researchers link to is an interesting one, and the main launchpad for the incursion into the field of security research. It leverages the tight-knit network of security researchers for its own gain, adding credibility by inviting guest posts from people in the area to contribute alongside other posts about publicly available exploits that have been patched.
“Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.”
said Adam Weidemann
The posts are sometimes supported by faked video captures that seemingly purports to show a successful exploit – though actually it’s simply a trick, spoofed video.
Even though the video was identified as a fraud by some commenters, the campaign’s networked tactics tried to clamp down criticism, with a separate Twitter account under their command retweeting the original post and denying it was a fake video.
Winning trust and taking victims
“The actors have been observed targeting specific security researchers by a novel social engineering method,” explained Weidemann. Using the supposed credibility of interacting with other vulnerability researchers in the community, the North Koreans, still using fake identities, would ask specific researchers if they wanted to collaborate on a project. If they said yes, they’d be sent a Visual Studio Project hiding source code and a DLL, which was custom malware that would immediately begin communicating with actor-controlled C2 domains.
“These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email.”
said Adam Weidemann
He also provided a list of aliases used by the hackers. “If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems.”
The fear is that the hackers have targeted vulnerability researchers in order to glean more information that will allow them to launch targeted attacks that take advantage of pre-existing, but otherwise not publicly known, gaps in security. Such zero-day exploits can be a boon to cyber criminals in their goal of trying to leverage access to systems and money that can then be funnelled into the state.
North Korea is renowned for having a determined, if not always technically world-leading, group of hackers under its command that are tasked with trying to earn the pariah state money given it struggles to survive due to crippling international sanctions.
