According to the Google Threat Analysis Group (TAG) that focuses on nation-state attacks, a North Korea-linked APT group has targeted experts working on the research of security vulnerability.
The TAG’s report reads that over the past several months, the Google team has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign are attributed to a government-backed entity based in North Korea and have used various means to target researchers.
The attackers targeted the researchers through multiple social networking platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase.
The threat actors used a network of fake profiles to get in contact with researchers while in some cases the victims were also contacted via email.
To contact the security researchers, the threat actors also created a research blog and used a network of Twitter profiles to interact with potential targets. Attackers used Twitter profiles for sharing links to their blog, to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.
The team states that the attackers were found to be targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.
The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.
The threat actors also conducted watering hole attacks, in which the victims were compromised after visiting the threat actors’ blog. The attackers have shared a link on Twitter to a post on blog.br0vvnn[.]io, the site was designed to deliver a malicious service on the researcher’s system and inject a backdoor directly into the memory of the target system.
According to the Google TAG experts, this mechanism involved zero-day exploits because it was able to infect visitors using fully patched and up-to-date Windows 10 and Chrome browser versions.
Google TAG report includes a list of actor-controlled sites and accounts and is inviting security researchers to review their online activities and contacts to discover if they have interacted in some ways with these threat actors.
Security researchers are also advised to review their browsing histories and see if they interacted with the threat actors.
For those researchers who are concerned about being targeted by the hacking group, the Google experts suggests that they should compartmentalize their research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and their own security research.
Image Credits : Fox Business