Google outs suspected North Korean hackers
Suspected North Korean hackers used fake profiles on Twitter, LinkedIn and elsewhere to lure security researchers into compromise.
Google security researchers are warning people to be on the lookout for a squad of sly hackers believed to be North Korean agents.
Like last year’s Twitter VIP account takeovers, the newly discovered hacking campaign, unveiled Monday, shows the effectiveness of so-called social engineering—or good old-fashioned trickery. In this case, the hackers lured victims by presenting themselves, through fake online personas, as friendly computer security pros.
The attackers sought first to establish their reputations. They did this, in part, by uploading doctored YouTube videos of supposed hacks to show off their skills. (“A careful review of the video shows the exploit is fake,” Google researchers noted.) They also blogged about the inner workings of software vulnerabilities, sometimes impersonating legitimate cybersecurity experts in “guest” author posts.
After building credibility, the hackers moved to ensnare their marks. They sent messages to cybersecurity pros using a variety of channels: Twitter, LinkedIn, Telegram, Discord, Keybase, and email, among them. Members of so-called “infosec” Twitter, the online community of security pros, are sharing screenshots and anecdotes of their encounters with the predators—a point of pride for some.
The wool-clad wolves used two methods to compromise people’s machines. Sometimes they would send a target an infected file under the pretense of collaborating on vulnerability research. Once downloaded, the file would install a “backdoor” on the target’s machine.
Other times, the hackers used what’s called a “drive by” attack. They would ask the mark to visit their website, which ran poisoned code. Even seemingly innocuous browsing could lead to malware installation. (I won’t link to the site here, for obvious reasons.)
Alarmingly, Google isn’t quite sure how the hackers infected people’s computers using the drive-by method. The victims were running “fully patched and up-to-date Windows 10 and Chrome browser versions,” meaning their defenses were up, Google researcher Adam Weidemann wrote. “At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have,” he said, urging people to report any findings through Google’s bug bounty program.
“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Weidemann said.
I would add that it’s not just security researchers who ought be on the lookout. If you’ve got something other people might want—whether that’s the “keys” for account ownership resets at Twitter, coveted hacking exploits, a relationship with other contacts who could be targeted, or whatever else—then, sooner or later, you’re going to be a target too.
Never drop your guard.
Robert Hackett
Twitter: @rhhackett
