North Koreans social engineer and hack vulnerability developers

Google's Threat Analysis Group says it has uncovered an ongoing campaign by North Korean government-backed threat actors who are targeting researchers who analyse and develop security vulnerabilities.

The attacks have taken place over the past several months, TAG said.

Multiple Twitter profiles, a research blog, and YouTube videos claiming to demonstrate exploits were set up by the North Korean threat actors.

They also used other platforms to communicate with security researchers they targeted, including LinkedIn, Telegram, Discord, Keybase and email messages.

Specific researchers were asked by the threat actors if they wanted to collaborate on vulnerability work.

If they agreed to it, TAG said the threat actors supplied a booby-trapped Microsoft Visual Studio development environment project with source code for a vulnerability.

The project also contained a dynamic link library file that contained malware and which would be run through Visual Studio Build Events.

Once active, the DLL immediately communicates with a hacker-operated command and control domain.

TAG has not discovered how the North Korean hackers compromised the fully patched and updated systems running Windows 10 and Chrome.

It is calling for reports on the potential vulnerability that was used.

Researchers that were specifically targeted by the North Korean threat actors should segment their activities and use separate physical or virtual machines for web browsing, interactions with others in the community, and for accepting files from third parties, TAG warned.

TAG did not identify which researchers and the organisations they work for that were targeted.

North Korean hackers have been very active in the past decade.

They were found by TAG to have impersonated journalist and news outlets last year in order to spread disinformation around the COVID-19 pandemic.

DPRK state-sponsored hackers are also suspected to be behind hacking campaigns against cryptocurrency exchanges, distributed denial of service attacks, and the destructive WannaCry ransomware.