North Korean state-sponsored threat actors have launched a new campaign targeting security researchers, marking the second time they have engaged in such activities in recent years. Google initially uncovered the attackers’ focus on cybersecurity professionals in January 2021 and has now detected their return with a fresh zero-day vulnerability, a counterfeit software tool, and an extensive phishing scheme, according to a blog post from Google’s Threat Analysis Group.
The targeting of individuals involved in cybersecurity research is not a new phenomenon and has grown increasingly common and sophisticated over the years. Callie Guenther, Cyber Threat Research Senior Manager at Critical Start, stated that these operations are multifaceted and aim not only to steal information but also to gain insights into defense mechanisms, refine tactics, and evade future detection.
Google researchers first encountered this particular hacker group more than two years ago when they began contacting security professionals on social media. The attackers created fabricated personas with names like “James Willy” and “Billy Brown” to give an air of authenticity to their accounts. They even generated actual cybersecurity research content to further legitimatize their fake identities.
The current campaign shows a similar level of effort and dedication. For example, through a now-inactive Twitter account, the threat actors engaged in months-long conversations with one of their targets, discussing shared interests and the possibility of future collaborations. Once sufficient trust was established, the attackers deployed a file containing a zero-day vulnerability in a popular software package through an encrypted messaging app like Signal or WhatsApp. The exact details of the vulnerability and affected software package have not been disclosed by Google until the vendor can address the issue.
If a victim fell for the bait and executed the file, the downloaded shellcode would first check if it was running on a virtual machine. If so, the code would be ineffective. However, if running on a compromised device, it would send information, including a screenshot, to the attacker’s command-and-control infrastructure.
Additionally, the attackers devised a more relaxed method to ensnare unsuspecting researchers. They created a Github account named “dbgsymbol,” where they could extend their researcher persona by sharing proofs-of-concept (PoCs) and security “tools.” One popular tool, called “getsymbol,” claims to be a simple tool for downloading debugging symbols from prominent symbol servers. While it performs its intended functionality, it also allows the developers to run arbitrary code on a researcher’s machine if downloaded. As of now, the tool has been forked 23 times.
According to Guenther, security professionals need to remain vigilant and ensure they do not fall for these tactics. The hacking of security researchers is not just about breaching their systems but is a strategic move by adversaries. These researchers are at the forefront of discovering vulnerabilities and developing mitigation techniques. By infiltrating their systems, threat actors can gain access to undisclosed vulnerabilities, proprietary tools, and valuable threat intelligence databases. Moreover, these researchers may be involved in projects of national significance, making them attractive targets for espionage.
The Google Threat Analysis Group provided advice for potential targets, urging them to be cautious about running and opening files from unknown third parties. The threat actors in this campaign have demonstrated a willingness to invest time in building rapport before carrying out malicious actions.
As threat actors continue to evolve their strategies and become more sophisticated, it is crucial for the cybersecurity community to remain alert and proactive in protecting sensitive information and defending against attacks.