North Korean Hackers Expand Targeting of Security Community

A North Korean espionage campaign targeting security researchers has taken another turn with the creation of a new fake company, website and social media accounts to lure victims, according to Google.

The tech giant’s Threat Analysis Group (TAG) first discovered the campaign back in January. At the time, the threat group launched a research blog which it posted links to via fake social media profiles on LinkedIn, Twitter and Keybase.

It then approached researchers in the cybersecurity community, asking if they wanted to collaborate on projects. They would either be sent backdoor malware or pointed to a blog site seeded with malware.

However, in mid-March, TAG analysts observed the group had launched a fake security company, ‘SecuriElite,’ with its own website.

“The new website claims the company is an offensive security company located in Turkey that offers pen-tests, software security assessments and exploits. Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page,” explained TAG’s Adam Weidemann.

“In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered.”

Alongside the website, the North Korean group has created some more fake social media profiles related to both security researchers and non-existent recruiters for AV companies. One is misspelled “Trend Macro” rather than the legitimate firm Trend Micro.

Although the fake security company site as yet is not serving up malware to those who visit it, the group itself means business, Google warned.

“Following our January blog post, security researchers successfully identified these actors using an Internet Explorer zero-day. Based on their activity, we continue to believe that these actors are dangerous, and likely have more zero-days,” Weidemann concluded.

“We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process.”

What’s Hot on Infosecurity Magazine?