North Korean Threat Actors Targeting Cybersecurity Researchers
Google's Threat Analysis Group has detected an ongoing campaign launched by North Korean cyber threat actors against cybersecurity researchers. The threat actors created a blog and Twitter profiles to establish their credibility with the targeted researchers. After gaining their trust, the threat actors ask the researchers if they would like to work together on research projects. If they agree, the hackers send collaboration tools that include malware. Some researchers' computers were compromised after they visited the hackers' blog.
In the last SANS Top New Attacks and Threat Report (https://www.sans.org/reading-room/whitepapers/threats/paper/39520) we highlighted two active and sophisticated threat vectors: what I called Highly Targeted Phishing attacks, like this campaign against cybersecurity researchers; and a more dangerous variant that Ed Skoudis called "Very Deep Persistence" attacks, where malicious capabilities are buried within hardware, accessories, or components such as charging stations in public place, charging cables, or modified USB drives. While this news item focuses on cybersecurity researchers, these techniques have been used against CEOs, CFOs, and Boards of Directors - as well as researchers from many industries. Good topic for a mid-quarter special topic briefing or tabletop exercise with CXOs/boards.
While I most often worry about social engineering scams that my family members would fall for, this one targets us as cybersecurity professionals, with pretty decent supporting research and credentials. This should be used as a teaching moment for collogues newer to InfoSec. The actor's accounts are reportedly deactivated; even so, reference the Google blog list of social media accounts and make sure they're no longer connected with you. That blog also contains C2 site and hashes to incorporate in your detection tools.
If cybersecurity "researchers" can be taken in by these "grooming" attacks, imagine the vulnerability of young people. Parents cannot monitor all the activity of children online but they should try to ensure that they do not correspond with "friends" that they meet online.
William Hugh Murray
Read more in
Google: New campaign targeting security researchers
Wired: North Korea Targets--and Dupes--a Slew of Cybersecurity Pros
Ars Technica: North Korea hackers use social media to target security researchers
Dark Reading: North Korean Attackers Target Security Researchers via Social Media: Google
Vice: North Korean Hackers Hacked Famous Hackers With Fake Hacking Website, Google Says
The Register: I was targeted by North Korean 0-day hackers using a Visual Studio project, vuln hunter tells El Reg