eclipse_images
Google believes that hackers in North Korea are pretending to be cybersecurity bloggers and targeting researchers in the field on social media platforms like Twitter and LinkedIn.
The search giant announced that its Threat Analysis Group has “identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations.”
It attributed the campaign to a government-backed entity based in North Korea. The nation’s cooperation office with South Korea did not immediately respond to CNBC’s request for comment..
Google said the actors have targeted specific security researchers with a “novel social engineering” technique, although it didn’t specify which researchers have been targeted.
Google’s Adam Weidemann said in a blog on Monday that the hackers set up a research blog and created multiple Twitter profiles to engage with security researchers.
The hackers used these accounts to post links to the blog and share videos of software exploits that they claimed to have found, Google said.
They also used LinkedIn, Telegraph, Discord, Keybase and email to engage with security researchers, Google said.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together,” wrote Weidemann.
The actors then shared a group of files with the researchers that contained malware — software that is intentionally designed to cause damage to a computer, server, client, or computer network.
Google listed several accounts and websites that it believes are controlled by the hackers. The list includes 10 Twitter profiles and five LinkedIn profiles.
Google said it also observed instances of security researchers being compromised after visiting the actors’ blog.
“In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” wrote Weidemann.
Google said the victims were running fully patched and up-to-date versions of Windows 10 and its own Chrome browser.
“At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have,” Weidemann wrote.
“Chrome vulnerabilities, including those being exploited in the wild, are eligible for reward payout under Chrome’s Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity.”