Hackers masqueraded as bloggers with a passion for scientific research and used fake social media accounts while attempting to steal information.
Detection with Google
A network of North Korean-based hackers has reportedly targeted security researchers, according to The Threat Analysis Group, a Google-owned service that seeks to counter cyberattacks backed by governments in various countries.
“Over the past few months, the Threat Analysis Group has identified an ongoing campaign against security researchers working in research and development in different companies and organizations,” its manager, Adam Weidemann wrote on Monday January 25, 2021, on the official Google blog. He also said specialists from the Threat Analysis Group attributed the campaign to “an entity supported by the North Korean government and based in North Korea.”
Ambush Hunting
Adam Weidemann added that “in an effort to bolster their credibility and reach out to security researchers, hackers have created a blog focused on scientific research as well as multiple Twitter profiles in order to interact with potential targets,” adding that accounts on this platform were used to post “their blog links, post videos of their alleged exploits, and retweet posts from other accounts they controlled.”
According to The Threat Analysis Group, the hackers also used the platforms LinkedIn, Telegram, Discord and Keybase, to be able to communicate with their victims.
Phishing through a blog
After successfully establishing contact with the researchers, the hackers asked them if they wanted to collaborate on the research on the cyber vulnerability and then shared a tool with them that unwittingly contained code designed to install malware on researchers’ computers, which then allowed hackers to take control and steal all kinds of information from researchers.
“Several targeted researchers were compromised after following a Twitter link to a blog set up by the hackers,” said Adam Weidemann, who also published a list of social media accounts and websites he said were controlled by the hackers.
Security specialists who were victims of these hackers admitted that at this point they were unable to confirm to what extent or in what manner their systems may have been compromised, and clarified that they “welcome any information that others might have obtained”.
Adam Weidemann added that at the time of these visits, “the operating systems of the hackers’ computers were running fully patched and fully up-to-date Windows 10 and Chrome browser versions.”
Involvement of North Korea?
While North Korea denies any involvement, it has been suspected in the past of being responsible for major cyber attacks, including a 2013 campaign that crippled the servers of South Korean financial institutions, the spectacular hack of the film studio Sony Pictures in 2014, which led to the publication of tens of thousands of confidential e-mails and business files, as well as the numerous attacks using the WannaCry ransomware, in 2017.
In 2018, the US Department of Justice launched criminal charges following a multi-year investigation by the FBI against a computer programmer named Park Jin-hyok (whose location is unknown) for his alleged involvement in cyber- attacks against Sony Pictures as well as in the use of the WannaCry ransomware. According to the accusations, this hacker is linked to the North Korean military intelligence services, and also participated, in 2016, in the hack of $ 81 million belonging to the central bank of Bangladesh.
In 2019, the UN Security Council estimated that North Korea could have earned, over several years, up to $ 2 billion from attacks targeting cryptocurrency trading platforms.
More recently, the US has linked North Korea-backed hackers to a massive cryptocurrency heist worth $615 000 000 (583 235 250 euros) from players of the popular online game Axie Infinity last month.
