Google Warning: North Korean Gov Hackers Targeting Security Researchers

Google late Monday raised the alarm about a “government-backed entity based in North Korea” targeting — and hacking into — computer systems belonging to security researchers.

Google’s Threat Analysis Group (TAG), a team that monitors global APT activity, said the ongoing campaign is aimed at security researchers working on vulnerability research and development at different companies and organizations.

The campaign, which is well organized across multiple online platforms, included drive-by browser compromises from booby-trapped websites.

“In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Google’s Adam Weidemann explained.

“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Weidewmann said, suggesting the possible use of zero-day exploits.

He said Google was unable to confirm the mechanism of compromise and asked for the public to report Chrome vulnerabilities, including those being exploited in the wild (ITW), to its Chrome’s Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.

Google said the actors behind this campaign are linked to a government-backed entity based in North Korea, worked over time to build credibility and connect with security researchers.

The actors established a research blog and multiple Twitter profiles and used the Twitter accounts to post links to their blog, post videos of their claimed exploits and to amplify and retweet posts from other accounts that they control.

Google found that the lure blog contained write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.

“While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit,” Weidermann said, providing screenshots and proof of the operation.

From the Google TAG blog:

The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.  

Weidemann said the actors have used accounts on Twitter, LinkedIn, Telegram, Discord, Keybase and e-mail, mostly on users running Microsoft’s Windows operating system.

“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” Weidemann added.