Google Reveals North Korea's Security Researcher-Targeting Campaign

The hackers have been posing as fellow researchers to gain trust.
Fabienne Lang

A North Korean government-backed campaign has been targeting security researchers around the world for months, as revealed Google's Threat Analysis Group (TAG).

It turns out the researchers were targeted as they work on vulnerability research and development at different companies and organizations, and that the bad actors mostly posed as researchers themselves to gain their trust. 


To gain credibility, the bad actors created their own research blogs, and profiles on Twitter, LinkedIn, Telegram, Discord, Keybase, and email. They would then reach out to the researchers and send links to their fake blogs, which were filled with analysis of vulnerabilites that had publicly been shared so as to look legitimate, explained TAG.

Once communication was open and trust was gained, the bad actors would ask to collaborate on a vulnerability research project together. Then, they would send their victims a Microsoft Visual Studio Project with malware that enabled them to gain entry to the researchers' systems.

At other times, some of the researchers' systems were compromised after clicking on a link provided by the bad actor. Both methods enabled the bad actors to gain backdoor access to the researchers' computers.

As TAG discovered, the victims' computers were compromised as they ran fully patched and up-to-date Windows 10 and Chrome browsers, and TAG has only seen the Windows' system attacks so far. 

The TAG team has listed some of the attackers' accounts and websites it has found, and some victims of these attacks have posted warnings on platforms such as Twitter, as can be seen below: 

Most Popular

And Shane Huntley from Google has been warning researchers via Twitter: 

message circleSHOW COMMENT (1)chevron