North Korean hackers targeting researchers with fake websites and social media accounts, warns Google

Hemani Sheth Mumbai | Updated on April 02, 2021

Cybercriminals were leveraging multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email

Google has provided an update on a previous campaign discovered by its Threat Analysis Group (TAG) researchers targeting cybersecurity researchers working for different companies and organisations.

In January, the Threat Analysis Group had documented a hacking campaign that was attributed to a North Korean government-backed entity, targeting security researchers.

The tech giant further provided an update that on March 17, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite.”

Chinese hackers target transport sector

“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits,” the tech giant said in a blog post.

Post the January blog post, security researchers were able to successfully identity these actors using an Internet Explorer 0-day. The lure for using the 0 day vulnerability was the PGP key. PGP (Pretty Good Privacy) is an encryption program.

“Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered,” explained the post.

SM profiles

As documented in January, the attackers also leveraged various social media profiles to target researchers. Previously, Google had found that these cybercriminals were leveraging multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email, according to the post.

“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control,” Adam Weidemann, Threat Analysis Group had explained in the January blog post.

74% of Indian IT decision-makers have experienced ransomware attacks: Report

Researches found the attacker’s latest batch of social media profiles which continued the trend of posing as fellow security researchers interested in exploitation and offensive security.

“On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google said.

Though no malicious content has been observed yet on the new attacker website the tech giant has added it to Google Safebrowsing as a precaution.

The list of recently found sites and accounts controlled by the threat actor is on the blog.

“We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process,” it said.

Published on April 02, 2021

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor