Google believes the hackers are backed by the North Korean government.
In January 2020, Google revealed that cyber criminals have been targeting IT security researchers around the world. Now, according to the latest update from Google’s Threat Analysis Group (TAG), a North Korean government-backed hacking group is targeting security researchers with fake social media (Twitter and LinkedIn) accounts.
Moreover, they have created a fake cyber security company called SecuriElite, which is based in Turkey and using its website to lure security experts.
Reportedly, this company offers offensive security services, including “pentests, software security assessments, and exploits,” wrote Adam Weidemann from TAG. The website went live on March 17, while TAG’s team flagged the campaign as early as Jan 2021.
How Hackers Targeted Researchers?
In its blog post published on Wednesday, Google researchers wrote that the attackers tricked unsuspecting users via fake accounts and websites. When they visited the link, a browser exploit gets triggered immediately.
In total, eight Twitter accounts and seven LinkedIn profiles were identified by Google. A research blog and various fake profiles were created on different social media platforms including Twitter, Telegram, LinkedIn, Keybase, and Discord, to communicate with researchers and gain trust. Then they deployed a Windows backdoor through a trojanized Visual Studio Project.
All Fake Accounts Disabled
Google claims that it reported about the new campaign and the LinkedIn and Twitter accounts associated with it, after which all of the accounts were disabled.
Fake cyber security company SecuriElite’s homepage (Image: Google)
The accounts appeared to be owned by human resources personnel and vulnerability researchers at various security firms such as Trend Macro, which is obviously a fake name inspired by Trend Micro.
Some profiles were of people posing as the CEO of a fake Turkish firm. All of the accounts are now suspended. Google has added the fake website’s link to its Safebrowsing blocklist to prevent users from visiting it mistakenly.