The Google Threat Analysis Group (TAG) has spotted a hacking attack on cyber security researchers that was allegedly conducted by those related to the so-called Lazarus Group, believed to be linked to the North Korean government.
The TAG claimed in a report on Tuesday that “a government-backed entity based in North Korea” used fake profiles on various social networks, including Twitter, LinkedIn, Telegram, Discord, and Keybase, to approach security specialists involved in vulnerability research.
TAG’s Adam Weidemann, for his part, explained that in some instances, the hacking group used emails to establish initial communications with the targeted persons.
Shortly after, “the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project”, which contained a malicious code that installed malware on the researcher's operating system, according to Weidemann.
He added that after “a malicious service was installed on the researcher's system”, the so-called in-memory backdoor “would begin beaconing to an actor-owned command and control server”.
In some other cases, the hackers asked security researchers to open a link that they had hosted at blog[.]br0vvnn[.]io, Weidemann said.
The TAG researcher pointed out that many victims who entered the site “were running fully patched and up-to-date Windows 10 and Chrome browser versions” and that at the moment, the TAG is “unable to confirm the mechanism of compromise” even though it welcomes “any information others might have”.
The hacks reportedly affected the Jewish state’s defence and government companies, as well as their employees. The Israeli Defence Ministry admitted at the time that a hacking attempt had been made, but added that it was thwarted and no sensitive information was stolen.