A North Korean government-backed campaign has been targeting security researchers around the world for months, as revealed Google's Threat Analysis Group (TAG).
It turns out the researchers were targeted as they work on vulnerability research and development at different companies and organizations, and that the bad actors mostly posed as researchers themselves to gain their trust.
To gain credibility, the bad actors created their own research blogs, and profiles on Twitter, LinkedIn, Telegram, Discord, Keybase, and email. They would then reach out to the researchers and send links to their fake blogs, which were filled with analysis of vulnerabilites that had publicly been shared so as to look legitimate, explained TAG.
Once communication was open and trust was gained, the bad actors would ask to collaborate on a vulnerability research project together. Then, they would send their victims a Microsoft Visual Studio Project with malware that enabled them to gain entry to the researchers' systems.
At other times, some of the researchers' systems were compromised after clicking on a link provided by the bad actor. Both methods enabled the bad actors to gain backdoor access to the researchers' computers.
The TAG team has listed some of the attackers' accounts and websites it has found, and some victims of these attacks have posted warnings on platforms such as Twitter, as can be seen below:
Here’s their first contact.. Twitter has deleted the acct but they just said “hi” and “hello” to prompt the first two messages and then asked if I can do Windows kernel exploitation pic.twitter.com/VJmo4yzPoC— Richard Johnson (@richinseattle) January 26, 2021
Hi @ShaneHuntley see my thread, z0x55g targeted me and is currently still active on Telegram under user kw0dem. I can provide the .suo sample if it will help— Richard Johnson (@richinseattle) January 26, 2021
And Shane Huntley from Google has been warning researchers via Twitter:
In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog.— Shane Huntley (@ShaneHuntley) January 26, 2021
The victim systems were running fully patched and up-to-date Windows 10 and Chrome