Yesterday evening Google’s Threat Analysis Group reported that a North Korean threat actor had been quietly and plausibly engaged in social engineering of vulnerability researchers working for security companies. The campaign seems to represent a significant advance in subtlety and craft on Pyongyang’s part. The threat actors created research blogs and multiple Twitter personnae which they used to discuss various publicly known vulnerabilities, often claiming successful development of proof-of-concept exploits. (The blogs even attracted and published “guest posts” from legitimate researchers.) It was, as the Register writes, “a long con.” The evident goal was espionage.
The method was to cultivate trust and then induce researchers to unwittingly install malicious code and an in-memory backdoor that beaconed to DPRK-controlled servers. Some compromises were accomplished when the victims visited one of the threat actors’ sites. Another known way in which victims were compromised involved their being induced to collaborate on a research project. According to BleepingComputer, the threat actors would share a Visual Studio project that included the proof-of-concept exploit they represented themselves as working on; it also included a malicious hidden DLL. “At the time of these visits,” Google says, “the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.”
Anonymous has resurfaced, and it’s interested in Malaysia, if in fact those posting a video excoriating Kuala Lumpur for poor cybersecurity practices do represent the anarchist collective. The video includes an implicit threat of data theft. Yahoo Finance says the government is taking the threat seriously.