North Korean hackers clandestinely recruited security researchers from around the world and lured them to visit an "exploit research blog" about hacking in order to hack them, Google said Monday. The scheme was at times successful—they used Windows and Chrome zero-days to hack them, Google said in its report.
The hackers primarily used fake Twitter and LinkedIn accounts to approach security researchers. The hackers also used the Twitter accounts to post links to a blog where they analyzed public vulnerabilities and also claimed to find zero-days, which turned out to be fake. The hacking campaign spanned the last several months.
"We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with," Adam Weidemann, who works for Google's in house security research team known as Threat Analysis Group, wrote in the report.
After Google's announcement, several security researchers admitted on Twitter that they were targeted.
Alejandro Caceres, the founder of security firm Hyperion Gray, said on Twitter that he was one of the victims. The hackers established contact with him via Twitter and eventually shared a file with him that contained malware, according to Caceres, who is offering a bounty of $80,000 to anyone who can provide information about the hackers' identities.
"Yes I was hacked. No, no customer information was leaked, this was on a private [Virtual Machine] for this exact reason," Caceres said.
In some cases, according to Google, the hackers were able to hack targets just by having them visit a malware-laden website under their control. What's more surprising, "at the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions," according to Google. This means the hackers potentially had access to Windows and Chrome unknown vulnerabilities, commonly referred to as zero-days.
One of the malicious sites used by the hackers is still online, and is now flagged as dangerous by Google.
The link to the malicious website was widely shared on Twitter, underlying how successful the hackers were in establishing a bona fide reputation.
"james0x40 and djokovic808 really managed to ingratiate themselves," Lesley Carhart, a security expert who works at Dragos, said on Twitter, referring to two of the personas used by the hackers. "The names are really familiar from seeing them in conversations all over, this year."
Do you know of any similar security vulnerability or data breach? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
This hacking campaign is a reminder that security researchers are a juicy target for nation-state hackers, especially those who work for a government with more limited resources. This is also a good reminder that social engineering is still one of the best ways to hack people, even those who work in cybersecurity.