Google warns researchers targeted by North Korean hackers via social media

The team said the attackers seemed to target only Windows systems, while users who were running updated Windows 10 and Chrome browsers were still infected, suggesting the attacks were previously undetected - also known as zero day vulnerabilities.
By HT TECH
| Updated on Jan 26 2021, 09:34 PM IST
The team at Google believes that the attacks were carried out by a government-backed entity based in North Korea.
The team at Google believes that the attacks were carried out by a government-backed entity based in North Korea. (Bloomberg)

Google’s Threat Analysis Group (TAG) has warned that it has discovered a relatively new campaign over the last several months that targeted security researchers and other members of the infosec community across several companies.

The team at Google believes that the attacks were carried out by a government-backed entity based in North Korea, Google TAG’s Adam Weidemann said in a blog post on Monday.

As the infosec community is usually wary of suspicious looking accounts or sources of information, the attackers had created a ‘research blog’ and set up multiple Twitter accounts which they then used to get in touch with their targets - the researchers. Those accounts disseminated posts made to the research blog, which were then retweeted by other accounts to give them a sense of credibility and amplify them, the threat analysis team said.

As the infosec community is usually wary of suspicious looking accounts or sources of information, the attackers had created a ‘research blog’ and set up multiple Twitter accounts which they then used to get in touch with their targets - the researchers.
As the infosec community is usually wary of suspicious looking accounts or sources of information, the attackers had created a ‘research blog’ and set up multiple Twitter accounts which they then used to get in touch with their targets - the researchers. (Google TAG)

What’s interesting is that while the attackers’ blog had analyses of publicly disclosed vulnerabilities, they also managed to convince legitimate security researchers to contribute as ‘guests’ to their site, perhaps luring them with the promise of a good platform to be featured on and a chance to network with other researchers. The researchers were contacted on Twitter, LinkedIn, Telegram, Discord and Keybase.

Also read: Chrome for Android gets another zero-day vulnerability fix

Those who agreed to collaborate were sent a Visual Studio Project, which would infect the targeted researcher’s computer and install a backdoor access for another malware controlled server, then wait for commands from the main server. Google says the attackers seemed to target only Windows systems. Also, users who were running updated Windows 10 and Chrome browsers were still infected, suggesting the attacks were previously undetected - also known as zero day vulnerabilities.

While the attackers’ blog had analyses of publicly disclosed vulnerabilities, they also managed to convince legitimate security researchers to contribute as ‘guests’ to their site
While the attackers’ blog had analyses of publicly disclosed vulnerabilities, they also managed to convince legitimate security researchers to contribute as ‘guests’ to their site (Google TAG)

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Weidemann. “If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” he added.

Follow HT Tech for the latest tech news and reviews , also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 26 Jan, 09:34 PM IST
NEXT ARTICLE BEGINS
keep up with tech