Google’s Threat Analysis Group (TAG) has been actively monitoring and thwarting multiple cyber campaigns conducted by North Korean threat actors since January 2021. Recently, TAG uncovered a second cyber campaign targeting security researchers [3] [5], indicating an increase in frequency and sophistication.
Description
The attackers, posing as fellow researchers, have been specifically targeting cybersecurity professionals themselves for nearly two years. They employ social media platforms such as LinkedIn, Telegram [5], Discord [5], and email [5], as well as encrypted messaging apps, to establish relationships with their targets [1] [4]. To appear legitimate [5], they create fake research blogs and Twitter accounts [5]. Through social engineering tactics [4] [5], they engage in lengthy conversations with the researchers before eventually sending malware-infected files to gain access to their systems. This allows the attackers to collect and exfiltrate sensitive information. In addition to the malware-infected files, the attackers have also utilized a fake software tool and extensive phishing tactics. This new campaign aims not only to steal information but also to gain insights into defense mechanisms and refine tactics to better evade detection [3]. TAG has promptly reported the vulnerabilities to the affected software vendor for patching and is encouraging researchers to submit any Chrome vulnerabilities to its bug bounty program. Furthermore, the threat actors have developed a Windows tool capable of downloading debugging symbols from major symbol servers [2], potentially compromising the systems of their victims. TAG advises anyone who may have downloaded or executed this tool to take precautionary measures, including considering a system reinstall. TAG’s efforts to raise awareness and promote vigilance within the security research community have included sharing some details of their findings and identifying the actor-controlled websites and accounts involved in the campaign.
Conclusion
This cyber campaign targeting security researchers has significant impacts on the cybersecurity community. It highlights the increasing frequency and sophistication of attacks by North Korean threat actors. The attackers’ use of social media platforms, encrypted messaging apps [1] [2] [4], and fake accounts demonstrates their adaptability and ability to deceive professionals in the field. The stolen information not only poses a risk to individual researchers but also compromises defense mechanisms and allows the attackers to refine their tactics. TAG’s prompt reporting of vulnerabilities and encouragement of bug submissions contribute to mitigating the risks posed by this campaign. However, the development of a Windows tool capable of compromising victims’ systems raises concerns about future attacks. It is crucial for individuals who may have downloaded or executed this tool to take precautionary measures, including considering a system reinstall. TAG’s efforts to raise awareness and identify actor-controlled websites and accounts play a vital role in combating this campaign and promoting vigilance within the security research community.
References
[1] https://www.computerweekly.com/news/366551513/North-Koreans-using-new-zero-day-to-target-security-researchers
[2] https://www.infosecurity-magazine.com/news/north-korean-campaign-targets/
[3] https://www.darkreading.com/threat-intelligence/north-korean-hackers-target-security-researchers-again
[4] https://thehackernews.com/2023/09/north-korean-hackers-exploit-zero-day.html
[5] https://www.engadget.com/google-north-korean-campaign-security-researchers-060603985.html
