Suspected North Korean state hackers have been using social engineering schemes to target security researchers, according to researchers with Google’s Threat Analysis Group.
Driving the news: Using platforms "including Twitter, LinkedIn, Telegram, Discord, Keybase and email," the hackers themselves posed as threat researchers in order to build legitimate profiles and backstories.
- "After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project," write the Google researchers.
One security researcher described how he was targeted — and later compromised — by someone he later realized was a North Korean operative.
- "Hey folks, story time. A guy going by the name James Willy approached me about help with a 0-day. After providing a writeup on root cause analysis I realized the visual studio project he gave me was backdoored," wrote Alejandro Caceres, the researcher.
- "Anyway, yes I was hacked," wrote Caceres. "No, no customer information was leaked, this was on a private [virtual machine] for this exact reason."
The Google team also said that the North Korean hackers set up a phony research blog that included malicious code that compromised the devices of targets who followed links to the site.
