Google says the company has identified an ongoing hacking campaign that targets security researchers that are working on vulnerability research and development at different companies and organizations, and the attackers are believed to be backed by North Korea.
In a blog, Google’s Threat Analysis Group (TAG) says the actors behind the hacking campaign have employed several tools and activities to target researchers, including social engineering attacks that target researchers via Twitter and phony security researcher blogs.
To build credibility with legitimate security researchers, the group established a research blog and multiple Twitter profiles to interact with the security researcher community. Blogs and posts include analysis of publicly disclosed vulnerabilities and guest posts from “unwitting legitimate security researchers.”
However, some of the exploits the group claimed to have found were fake, including a claimed exploit of a recently patched Windows Defender vulnerability. Multiple comments on the video – hosted on YouTube – indicated that the research was fake.
The TAG post included a detailed description of the novel social engineering the group undertook to trick security researchers into collaborating with them.
After establishing a line of communication with researchers, the group would ask to collaborate on vulnerability research together, and then provide researchers with a Visual Studio Project.
“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” according to the TAG. “The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”
Read Next: Microsoft, Google, Other Big Tech Firms Join Legal Fight Against Hacking Company NSO Group
Other methods included compromising researchers after they visited the fake vulnerability research blog. After following a link on Twitter to a post on the blog, a malicious service was installed on the research’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server, according to the post.
“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Google’s TAG posted. “At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have.”
Other platforms used to communicate with targets include LinkedIn, Telegram, Discord, Keybase and email.
So far, researchers have only observed the actors targeting Windows systems as part of this activity.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” Google’s security team posted.
For a list of the social media accounts, links and indications of compromise, read Google’s blog post.