Google TAG Exposes North Korean Campaign Targeting Researchers

Written by

Google’s Threat Analysis Group (TAG) has shed light on a cyber campaign originating from North Korea, targeting security researchers engaged in vulnerability research and development. 

Since January 2021, TAG has reportedly monitored and thwarted multiple campaigns conducted by these North Korean threat actors. The team has discovered the exploitation of at least one zero-day vulnerability in the last few weeks, prompting TAG to promptly report the issue to the affected vendor, who is now working on a patch.

Notably, Google has yet to disclose details on the zero-day flaw exploited in these attacks and the name of the vulnerable software, likely because the vendor is still patching the vulnerability.

The modus operandi of these threat actors involves establishing communication with security researchers via social media platforms such as X (formerly Twitter) before migrating to encrypted messaging apps like Signal, WhatsApp or Wire. Once trust is established, the attackers distribute malicious files containing zero-day vulnerabilities within widely used software packages.

Upon successful exploitation, the malicious code conducts various anti-virtual machine checks and transmits collected data, including screenshots, to a command-and-control (C2) domain controlled by the attackers. Google TAG said the technique closely mirrors previous North Korean cyber-exploits.

“Given that the world of security research has many relationships formed over the internet, and with limited personal contact, it will be hard to police and deeply investigate all interactions,” commented John Gallagher, vice president of Viakoo Labs at Viakoo. “The best advice would be to take a ‘no exceptions’ policy to handle software or links from outside your organization.”

Notably, in addition to zero-day exploitation, the threat actors have developed a standalone Windows tool designed to download debugging symbols from major symbol servers, including those of Microsoft, Google, Mozilla and Citrix. While seemingly legitimate, this tool can also execute arbitrary code from attacker-controlled domains, potentially compromising victims’ systems.

“The targeting of those involved in cybersecurity research is not rare. In fact, it has grown more frequent and sophisticated over the years,” commented Callie Guenther, cyber threat research senior manager at Critical Start.

“There have been incidents where nation-state actors, like North Korea and Russia, have specifically aimed at cybersecurity professionals and organizations. These operations are multifaceted, aiming not just to steal information but also to gain insights into defense mechanisms, refine their tactics and better evade future detection.”

Read more on attacks using debugging techniques: Chinese Hacker Steals Microsoft Signing Key, Spies on US Government

To safeguard against these threats, TAG has advised those who may have downloaded or run the tool to take precautions, including a possible system reinstall.

What’s hot on Infosecurity Magazine?