N. Korean Hacking Group Is Targeting Security Researchers

A North Korean hacking group that targets security researchers has now created a fake offensive security firm. This firm which is believed to be state-sponsored,  has been exposed by Google's Threat Analysis Group (TAG).

The TAG, which specialises in tracking advanced persistent threat (APT) groups) has identified an on-going campaign targeting security researchers working on vulnerability research and development at different companies and organisations. 

The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security.  

On LinkedIn, two accounts have been identified impersonating recruiters for antivirus and security companies.  Google TAG, , said at the time that the North Korean cyber attackers had established a web of fake profiles on social media, including Twitter, Keybase, and LinkedIn.  "In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets," Google said. "They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control." 

When members of the group reached out to their targets, they would ask if their intended victim wanted to collaborate on cyber security research, before sending them a malicious MS Visual Studio development tool project containing a backdoor. They might also ask researchers to visit a blog laden with malicious code including browser exploits.  

In an update the TAG's Adam Weidemann said that the state-sponsored group has now changed tactics by creating a fake offensive security company "SecuriElite"with new social media profiles and a branded website. The fake company claims to be based in Turkey offering penetration testing services, software security assessments, and exploits. 

A link to a PGP public key has been added to the website. While the inclusion of PGP is standard practice as an option for secure communication, the group has used these links in the past as a means to lure their targets into visiting a page where a browser-based exploit is waiting to deploy.  

In addition, the SecuriElite 'team' has been furnished with a fresh set of fake social media profiles. The threat actors are posing as fellow security researchers, recruiters for cybersecurity firms, and in one case, the HR director of "Trend Macro" -- not to be confused with the legitimate company Trend Micro.  

Google's team linked the North Korean group with the usage of Internet Explorer zero-day in January. The company believes that it is likely they have access to more exploits and will continue to use them in the future against legitimate security researchers.  Google says they have reported all identified social media profiles to the platforms to allow them to take appropriate action.   

Google:       Google:       ZDNet:        Microsoft

You Might Also Read: 

North Korean Hackers Have Stolen $2billion:

 

« Guilty: DeepDotWeb Owner Confesses
Iran Nuclear Plant Hit By Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

APrivacy

APrivacy

APrivacy provides information and communication security products for the financial services industry.

VNCERT

VNCERT

VNCERT is the national Computer Emergency Response Team for Vietnam.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Balbix

Balbix

Balbix BreachControl™ is the industry’s first system to leverage specialized AI to provide comprehensive and continuous predictive assessment of breach risk.

Phosphorous Cybersecurity

Phosphorous Cybersecurity

Phosphorus has fully automated remediation of the two biggest IoT vulnerabilities, out of date firmware and default credentials.

RFA

RFA

RFA is a unique IT, financial cloud and managed cyber-security provider to the financial services and alternative investment sectors.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

Dynics

Dynics

The Dynics ICS-Defender is an Industrial Control System Security Appliance for OT or OT/IT convergent environments.

Thistle Technologies

Thistle Technologies

Thistle Technologies is building tools that help connected device manufacturers build security resiliency into devices.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

Helix Security Services

Helix Security Services

Helix Security provides IT & information security consultancy to government and businesses across New Zealand.

ArmorPoint

ArmorPoint

ArmorPoint redefines the traditional approach to cybersecurity by combining network operations, security operations, and SIEM technology in one platform.

Verinext

Verinext

Verinext delivers transformative business technology, from intelligently automating time-consuming tasks and protecting data assets to securing infrastructure and improving customer experiences.