According to Google’s Threat Analysis Group, a hacking campaign has been set up in recent months targeting security researchers. North Korean state hackers are said to be behind the campaign.
The state hackers target specific security researchers and use forms of social engineering . The group has set up a blog about vulnerabilities and fake accounts created on Twitter, posing as security researchers. According to Google TAG , the group wants to build credibility with this.
Targeted security researchers are requested to collaborate on an investigation into a vulnerability. The hackers then send a Visual Studio Project to the target, containing source code for exploiting a vulnerability, as well as an additional dll containing malware and running through Visual Studio Build Events.
On their blog, the state hackers publish articles in which they claim to show exploits for vulnerabilities. According to Google, at least one of them is fake. This is an exploit for CVE-2021-1647, a recently patched vulnerability in Windows Defender.
The state hackers put a video on Twitter and YouTube on January 14 in which they allegedly showed an exploit. In reactions to those videos, it was also noted by others that the video had been tampered with and that no working exploit was demonstrated.
According to Google, several security researchers have also been compromised by just visiting the blog. They followed a Twitter link that pointed to an article and shortly afterwards their system was infected and the malware contacted a command and control server
. The victims allegedly used systems with all Windows 10 updates and the latest Chrome browser. Google says it does not yet know how these attacks could be successful. The attackers may have used an as yet unknown vulnerability.
Google has published an overview of account names that would be associated with the hacking campaign. The attackers use a variety of platforms to contact security researchers, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email. So far, only researchers with Windows systems have been attacked, says Google.