Google’s Threat Analysis Group (TAG) has discovered a new ongoing campaign targeting security researchers working on vulnerability research.
The campaign is allegedly tied back to a North Korean government-backed entity and used multiple means to target researchers. The hackers setup fake accounts on LinkedIn, Twitter, Telegram, Discord, Keybase and email to communicate with potential victims.
Moreover, the actors also setup blog posts and communicated to researchers in an effort to gain their trust and “collaborate” on research efforts.
Some researchers sent out warnings after they had received back-doored files from the hackers in an attempt to compromise their system.
“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Adam Weidemann from Google’s TAG team wrote in a blog post.
Bad actor accounts, sites and IoCs
Googles TAG team published a list of actor accounts and sites that have been identified as part of the campaign.
Those include specific accounts created on Twitter, LinkedIn, Keybase and Telegram.
In addition, researchers should take note of the blog site used in the campaign – https://blog.br0vvnn[.]io. Moreover, Google also provided attacker-owned, as well as legitimate but compromised command and control (C2) Domains used in the attacks.
Finally, Google listed sample hashes for malware, C2 URLs and host Indicators of Compromise (IoC) were also listed.
- FBI: Cyber criminals target employee credentials via voice phishing attacks
- Threat actors targeting COVID-19 vaccine cold chain
- 2020 Threat Landscape Report reveals new themes and evolving threats
- Twitter provides update on high profile account hacking incident
- WannaCry, Petya and Copycat Ransomware Expose Good History Lessons for Small Business and Enterprise Security