North Korean hackers target security researchers in new campaign

North Korean hackers target security researchers in new campaign

Google’s Threat Analysis Group (TAG) has discovered a new ongoing campaign targeting security researchers working on vulnerability research.

The campaign is allegedly tied back to a North Korean government-backed entity and used multiple means to target researchers. The hackers setup fake accounts on LinkedIn, Twitter, Telegram, Discord, Keybase and email to communicate with potential victims.

Moreover, the actors also setup blog posts and communicated to researchers in an effort to gain their trust and “collaborate” on research efforts.

Some researchers sent out warnings after they had received back-doored files from the hackers in an attempt to compromise their system.

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Adam Weidemann from Google’s TAG team wrote in a blog post.

Bad actor accounts, sites and IoCs

Googles TAG team published a list of actor accounts and sites that have been identified as part of the campaign.

Those include specific accounts created on Twitter, LinkedIn, Keybase and Telegram.

In addition, researchers should take note of the blog site used in the campaign – https://blog.br0vvnn[.]io. Moreover, Google also provided attacker-owned, as well as legitimate but compromised command and control (C2) Domains used in the attacks.

Finally, Google listed sample hashes for malware, C2 URLs and host Indicators of Compromise (IoC) were also listed.

Related Articles