Threat actors working on behalf of North Korea posed as security researchers on social media in a campaign to compromise employees of security companies, according to a Google report.
The threat actors’ ability and willingness to go after security researchers only shows how serious the campaign really was. It’s not a common occurrence in the cybersecurity world, making the campaign all the more interesting.
A few months ago, Google identified a campaign targeting security researchers working on vulnerability research, which they attributed to a group working for North Korea. The attackers set up a blog, fake contacts and Twitter profiles, then posted videos and used social media to amplify their work.
Now, the group is back, but this time they set up a fake company named SecuriElite, located in Turkey. The primary modus operandi is similar, with the attackers going after the same type of targets.
“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits,” said Threat Analysis Group’s Adam Weidemann.
“Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered,” he explained.
This time, the group set up a few fake LinkedIn profiles and tried to establish a legitimate company. The attackers have yet to deploy any malicious content, but Google informed LinkedIn of the fake profiles. In the previous campaign, their primary attack vector was an Internet Explorer zero-day, which likely means they have others ready to use.
Google published a complete list of actor-controlled sites and accounts.