An early January morning security researcher Zuk Avraham received an indescribable direct message out of the blue on Twitter: “Hello.” It was from someone named Zhang Guo. The short, unsolicited message was not too unusual; as the founder of both threat monitoring company ZecOps and antivirus company Zimperium, Avraham receives many random DMs.
Zhang claimed to be a web developer and bug hunter in his Twitter bio. His profile showed that he had created his account last June and had 690 followers, perhaps a sign the account was credible. Avraham responded with a simple hello later that night and Zhang immediately replied, “Thank you for your response. Do I have a few questions? ”He then expressed his interest in the vulnerabilities in Windows and Chrome and asked Avraham if he was a vulnerability researcher himself. That’s where Avraham let the conversation slip away. “I didn’t respond – I guess being busy saved me here,” he told WIRED.
Avraham was not the only one to have had this kind of conversation with the “Zhang Guo” Twitter account and its associated aliases, which are all now suspended. Dozens of other security researchers – and possibly more – in the United States, Europe and China have received similar messages in recent months. But as Google’s threat analysis group revealed on Monday, those messages weren’t from bug-hunter enthusiasts at all. They were the work of hackers sent by the North Korean government, as part of a massive campaign of social engineering attacks aimed at compromising high-level cybersecurity professionals and stealing their research.
The attackers weren’t limited to Twitter. They’ve also set up identities in Telegram, Keybase, LinkedIn and Discord, sending messages to established security researchers about potential collaborations. They’ve created a legitimate looking blog with the kind of vulnerability scans you would find in a real business. They had found a flaw in Microsoft Windows, they would say, or Chrome, depending on the expertise of their target. They needed help figuring out if it was exploitable.
It was quite a front. Each exchange had a common goal: to get the victim to download malware masquerading as a research project, or to click a link in a blog post containing malware. Targeting security researchers was, as Google called it, a “new method of social engineering.”
“If you have contacted any of these accounts or visited the actor blog, we suggest you review your systems,” wrote Adam Weidemann, researcher at TAG. “To date, we’ve only seen these actors target Windows systems as part of this campaign.”
The attackers mainly attempted to spread their malware by sharing Microsoft Visual Studio projects with targets. Visual Studio is a development tool for writing software; attackers would send in the source code of the exploit they claimed to be working on with malware as a free rider. After a victim downloads and opens the corrupted project, a malicious library begins to communicate with the attackers’ Command and Control server.
Another possibility of infection was the malicious blog link. With one click, the targets unknowingly unleashed an exploit that gave attackers remote access to their device. Victims reported that they were running current versions of Windows 10 and Chrome, indicating that hackers may have used an unknown or zero-day Chrome exploit to gain access.
ZecOps ‘Avraham says that while the hackers didn’t deceive him during their brief chat with DM, he clicked a link in one of the attackers’ blog posts that purported to show research-related code. He did this from a dedicated, isolated Android device that he said didn’t appear to have been compromised. But the focus of the bogus blog analysis raised red flags at the time. “I suspected once I saw the shellcode,” he says of the malware payload the attacker deployed in an attempt to compromise. “It was a bit strange and cryptic.”