Google security researchers are warning people to be looking for a squad of sneaky hackers who are believed to be North Korean agents.
Like last year Twitter VIP Account Takeover, the newly discovered hacking campaign, unveiled Monday, shows the effectiveness of so-called social engineering – or good old-fashioned trickery. In this case, the hackers lured the victims by presenting themselves, through fake online characters, as friendly IT security professionals.
The attackers first sought to establish their reputation. They did so, in part, by uploading doctored YouTube videos of supposed hacks to show off their skills. (“Close examination of video shows exploit to be fake,” Google researchers noted.) They also blogged about the inner workings of software vulnerabilities, sometimes masquerading as legitimate cybersecurity experts in articles of “invited” authors.
After gaining credibility, the hackers tried to trap their brands. They sent messages to cybersecurity professionals using various channels: Twitter, LinkedIn, Telegram, Discord, Keybase and e-mail, among them. Members of Twitter known as “infosec”, the online community of security professionals, are sharing screenshot and anecdotes of their met with predators – one no pride for some people.
Wolves clad in wool used two methods to compromise people’s machines. Sometimes they would send an infected file to a target under the pretext of collaborating in the search for vulnerabilities. Once downloaded, the file would install a “backdoor” on the target machine.
Other times, hackers have used what is called a “drive-thru” attack. They were asking the brand to visit their website, which was spreading poisoned code. Even seemingly harmless browsing can lead to the installation of malware. (I won’t link to the site here, for obvious reasons.)
Alarmingly, Google is not quite sure how hackers infected people’s computers using the drive-thru method. The victims were using “fully patched and up-to-date Windows 10 and Chrome browser versions,” meaning their defenses were in place, Google researcher Adam Weidemann wrote. “At this time, we are unable to confirm the compromise mechanism, but welcome any information others may have,” he said, urging people to report any findings via Google. bug bounty program.
“We hope this article serves as a reminder to members of the security research community that they are the target of government-backed attackers and that they must remain vigilant when engaging with people they are not involved with. ‘haven’t interacted yet,’ Weidemann said.
I would add that it’s not just security researchers who should be on the lookout. If you have something that other people might want – whether it’s the “keys” to resetting the ownership of the Twitter account, coveted hacking exploits, a relationship with other contacts who might be targeted, or anything else – then sooner or later you’re going to be a target too.
Never let your guard down.