North Korean Hackers Used Novel Social Engineering Ploy to Target Security Researchers

January 27, 2021 Updated: January 27, 2021

Google announced on Tuesday that its cyber threat experts have identified an “ongoing” hacking campaign that leveraged social media to target cybersecurity researchers at a range of organizations, and the attackers are believed to be linked to the North Korean regime.

In a statement, Google’s Threat Analysis Group (TAG) said the hackers behind the campaign used a range of ploys, including a novel social engineering method, to target individuals working on vulnerability research and development at a number of unspecified organizations.

“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” said Adam Weidemann of TAG in the statement.

The hackers used these Twitter profiles to post links to their blog posts, along with videos of their claimed exploits. After establishing a line of communication with the researchers, the hackers sought to persuade them to collaborate on vulnerability research projects. As part of the collaboration, the researchers were provided with a Visual Studio project, inside of which the hackers hid custom malware that would communicate with domains that they controlled.

Google didn’t specify how successful the hackers were or what kind of information may have been compromised.

Besides targeting researchers by means of social engineering, the hackers also embedded malware in blog posts. After researchers followed a link on Twitter that took them to the hackers’ blogs, “a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Weidemann said.

Weidemann noted that, at the time when the researchers visited the blogs, they were running fully patched and up-to-date Windows 10 operating systems and Chrome browser versions.

Google attributed the campaign to “a government-backed entity based in North Korea,” one of the biggest state sponsors of hacking alongside China, Iran, and Russia.

While the country has denied involvement, North Korea has been linked to major cyberattacks, including a 2013 campaign that paralyzed the servers of South Korean financial institutions, the 2014 hacking of Sony Pictures, and the WannaCry malware attack of 2017.

Simon Choi, a senior analyst at NSHC, a South Korean computer security firm, said cyberattacks linked to North Korea over the past few years have shown an improving ability in identifying and exploiting vulnerabilities in computer security systems. He said that, before 2016, North Korean cyber-intruders mostly relied on methods used by Chinese or Russian hackers.

“It’s notable that the computer security experts on Twitter who said they were approached by the hackers had been engaged in vulnerability research for Chrome and Windows 10,” Choi said.

“It’s that not easy to successfully penetrate these systems that are built with the latest security technologies,” he said. “For the North Koreans, it makes more sense to steal the vulnerabilities already discovered by the researchers because developing their own ways to exploit these systems is harder,” Choi added.

The 2014 Sony hack led to the release of tens of thousands of confidential Sony emails and business files. The WannaCry cyberattack in 2017 scrambled data on hundreds of thousands of computers at government agencies, banks, and other businesses across the globe and crippled parts of the British health care system.

The Associated Press contributed to this report.

Follow Tom on Twitter: @OZImekTOM