For several months, Google’s Threat Analysis Group detected a continuous campaign where North Korean hackers targeted cybersecurity researchers working on vulnerability R&D across different organizations. Believed to be sponsored by the North Korean government, the threat actors created multiple fake social media profiles using platforms like Twitter, LinkedIn, and Keybase. “To build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google noted. They used social media profiles to post links to their research blog, send videos where they claimed various exploits, and share posts from other social media accounts under their control.

What is the motive?

The news of the North Korean actors targeting security researchers spread like wildfire. The cybersecurity community warned security researchers not to interact with unknown people online or on social media accounts. But what was the actors’ motive? According to Dirk Schrader, New Net Technologies Global Vice President, targeting security researchers would give North Korean attackers a head start to develop advanced capabilities for attacking systems and networks. “This appears to be an attempt to get broader access to a number of security researchers to have early information about the issues and vulnerabilities they are working on,” Schrader explained.

In particular, security researchers have a responsible disclosure policy, where they inform vendors of the identified vulnerabilities. The vendors then work on developing patches and fixes, which could take several days or months, and there is the catch. Early access to newly disclosed vulnerabilities would allow the APT groups to exploit them before they are fixed. “The APT group likely would have garnered valuable info and provided itself a head start on exploiting the vulnerabilities discovered by those researchers.”

Strategies used to target security researchers

 

1. Posing as Samsung recruiters

According to Google’s Threat Horizon Report, the state-backed actors posed as Samsung recruiters to target South Korean security firms. They targeted South Korean employees with fake job offers, especially those working in companies specializing in anti-malware products. “The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader,” Google notes in the report.

The hackers would then send to download a Secure PDF Reader app, a modified version of the legitimate app designed to create backdoors once victims installed the app in their computers. Microsoft tracked the threat actors’ techniques and concluded that the attackers attempted to acquire unreleased exploits and vulnerabilities for use in targeted supply chain attacks on South Korean companies using the targeted anti-malware products.

• Zero-day vulnerabilities

The Lazarus Group, a popular North Korean state-backed group, created elaborate fake social media profiles and used them to target security researchers with social engineering attacks. The social engineering attacks involved sending malicious links to an infected website or tricking researchers into collaborating on research programs and sending them malicious Visual Studio Projects that installed backdoors on the victim’s computers.

Some security researchers whose computers ran the latest Google Chrome browser and a fully patched Windows 10 machine were infected. This indicated that the attackers used zero-day exploits to compromise targeted researchers. Also, a South Korean cybersecurity company discovered an Internet Explorer zero-day after attacks targeting their security researchers failed.

• Turning a fake blog page into a honeypot

The hackers used their fake research blogs to serve security researchers with malware. Google’s TAG notes that in each case, the attackers would trick security researchers into following links posted on the fake Twitter accounts to read more about their research projects and exploits. However, visiting the malicious website installed malicious services on the victims’ systems, where an in-memory backdoor would establish communication with a command and control server under the attackers’ control. The attacks also leveraged zero-day exploits to compromise fully-patched Windows 10 computers and Google Chrome browsers.

 

Impersonating Researchers to steal intel

Edging away from the social engineering attacks and zero-day exploits that Google’s TAG identified in 2021, the North Korean actors are now impersonating researchers to steal intel on North Korea. Microsoft Threat Intelligence Center (MSTIC) reported that the threat actors now use simple impersonation tactics instead of spear-phishing emails and information-stealing malware to gather intelligence.

Specifically, the attackers are sending spoofed emails to researchers to appear like they have been sent from renowned security researchers, asking them about their thoughts regarding the North Korean state of security and even offering them money to write security reports. The new tactic that has been in effect since January 2022 is easier and quicker to acquire information from different security researchers than the common use of advanced malware and spear-phishing emails. “The attackers are getting information directly from the horse’s mouth, if you will, and they don’t have to sit there and make interpretations because they are getting it from the expert,” said James Elliot, an MSCIT team member.