Google has discovered a months-long spearphishing campaign targeting security researchers carried by hackers tied to the North Korean government.

In a blog released late in the night on Jan. 25, Andrew Weidemann from Google’s Threat Analysis Group wrote that the campaign spanned multiple companies and researchers who focus on discovering new software vulnerabilities. To do this, the actors first attempted to pose as members of the community, setting up their own research blog as a front, in some cases recycling the work of other researchers and, in at least one case, faking a successful exploit. They also created multiple personas and sockpuppet accounts on social media sites like Twitter, LinkedIn, Telegram, Keybase and Discord, where they shared posts, promoted the work of others and interacted with researchers over direct messages.

Weidemann said all that work was effort to socially engineer and “build credibility” among targeted researchers, who they later attempted to compromise in various ways. In some cases they approached the victim over Twitter with offers to collaborate on newly discovered exploits over Visual Studio Project, a software tool used to develop and review software code. That project contained a dynamic link library with custom malware designed to ping a malicious command and control server operated by the attackers. In other cases, researchers who visited their blog clicked on a malicious link that installed malware and used an in-memory backdoor to beacon back to the group’s C2 infrastructure. Notably, Google says the victims were running fully patched and updated versions of Windows 10 and Chrome at the time of their compromise.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.