skip to Main Content

Cyber Espionage, North Korea’s hackers target cybersecurity researchers

Google Threat Analysis Group: North Korea’s hackers target cybersecurity researchers. They use multiple platforms to communicate, and a blog

North Korea’s state hackers are targeting security researchers working on vulnerability research and development at different companies and organizations. It has been discovered by Google Threat Analysis Group cybersecurity experts. The actors behind this cyber espionage campaign have employed a number of means to target. In order to build credibility and connect with the targets, the threat actors established a research blog and multiple Twitter profiles to interact. They’ve posted links to their blog, videos of their claimed exploits and amplified and retweeted posts from other accounts that they control. Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers. These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email.

The threat actors exploit also a novel social engineering technique for their cyber espionage purpose

According to the cybersecurity experts, the North Korean’s threat actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, they would ask the targets if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within it would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. In addition, there are several cases where researchers have been compromised after visiting the actors’ blog. In each of them, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on their system and an in-memory backdoor would begin beaconing to an actor-owned command and control server.

Back To Top