According to Google’s blog, there is a new path hackers are using to get inside the computers of cybersecurity experts: Social Media. Google suspects that hackers in North Korea are targeting security researchers by social media platforms.
The Reason? The campaign could allow the hackers to obtain insights into vulnerabilities the research community was studying to exploit them.
What happened?
Google said the actors have targeted specific security researchers with a “novel social engineering” technique, although it did not specify which researchers have been targeted. The hackers set up a “research blog”, different Twitter and LinkedIn profiles to engage with cybersecurity experts, in some cases even telegram, discord, and email.
The hackers used these accounts to post links to the blog, share files and videos of software exploits that they claimed to have found, Google said. All these links were sent to the researchers in an attempt to share malware. Google listed the accounts and websites that it believes are managed by the hackers. The list includes the social media profiles and sample hashes.
The attacks have been reported by the Google Threat Analysis Group, “After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together,” wrote Adam Weidemann on the blog.
“In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server”
Who is responsible for the attack?
This malware was linked to the Lazarus Group, a North Korean state-sponsored operation.
As part of their investigation, the Google TAG team is asking the cyber-security researchers to share more information about the attacks.
Meanwhile, some security researchers have already disclosed on social media that they received messages from the attackers’ accounts, although, none have admitted to having systems compromised.
