Google security researchers are warning people to be wary of a team of devious hackers believed to be North Korean agents.
Like last year’s takeovers of Twitter VIP accounts, the newly discovered hacking campaign, revealed on Monday, shows the effectiveness of so-called social engineering – or old-fashioned deception. In this case, the hackers lured victims by presenting themselves through fake online personas as friendly computer security professionals.
The attackers first tried to establish their reputation. They did this in part by uploading promoted YouTube videos of alleged hacks to showcase their skills. (“A careful review of the video shows that the exploit is bogus,” noted Google researchers.) They also blogged about the inner workings of software vulnerabilities, sometimes posing as legitimate cybersecurity experts in ‘guest’ author posts .
After building their credibility, the hackers set out to ensnare their tracks. They sent messages to cybersecurity professionals through a variety of channels including Twitter, LinkedIn, Telegram, Discord, Keybase, and email. Members of the so-called “infosec” Twitter, the online community of security professionals, share screenshots and anecdotes of their encounters with the predators – a point of pride for some.
The wool-covered wolves used two methods to endanger people’s machines. Sometimes they sent a target an infected file on the pretext of collaborating on vulnerability research. After downloading, the file would install a “back door” on the target’s machine.
Other times the hackers used a so-called ‘drive by’ attack. They asked the brand to visit their website, which contained poisoned code. Even seemingly harmless browsing can lead to malware installation. (I will not link to the site here for obvious reasons.)
Alarmingly, Google is not entirely sure how the hackers infected people’s computers using the drive-by method. The victims were using “fully patched and up-to-date Windows 10 and Chrome browser versions,” meaning their defenses were down, Google researcher Adam Weidemann wrote. “At this point, we can’t confirm the compromise mechanism, but we welcome any information that others have,” he said, urging people to report any findings through Google’s bug bounty program.
“We hope this message will remind those in the security research community that they are the targets of government-sponsored attackers and should remain vigilant when dealing with individuals with whom they have not previously interacted,” Weidemann said.
I would add that it is not just security researchers who should be on the lookout. If you have something that other people might want – be it the ‘keys’ to resetting account ownership on Twitter, coveted hacking exploits, a relationship with other targeted contacts, or whatever – then, sooner or later, you’ll become a target too.
Never let your guard down.