A campaign led by North Korean hackers targeting security researchers has now set up a new website to continue targeting security professionals.
According to Google Research, North Korean-linked hackers have set up fake security companies and social media accounts. They are doing it as a part of an operation to infect cybersecurity researchers with malware.
Google Threat Analysis Group specializing in tracking advanced persistent threat groups, said the North Korean cyber-crooks had created fake profiles across various social media platforms, including Keybase, LinkedIn, and Twitter.
A researcher Adam Weidemann at Google’s TAG, reveals that the new site works for a fake company named SecuriElite in Turkey. The company claimed to provide aggressive security services like pen-testing, software security assessments, and exploits.
The cyber-criminals have again set up the company in March. The Twitter accounts that look to be linked with the fake company have only one follower and have tweeted once. It is something that can raise questions on the authenticity of the company. An original can never have one follower, and they can’t tweet just once; it’s unacceptable.
It is not the first time that the North Korean hackers‘ name is under such attacks. Previously, the hacker group established fake websites and social media accounts to trick the security researchers into downloading malware. The previous campaign that infected the professionals with malware creates accounts on Keybase, Telegram Discord, LinkedIn, and Twitter.
In this campaign, the hackers leverage two fake accounts on LinkedIn that pretend as recruiters belonging to antivirus software and other security companies. Google said one of the recruiters named Carter Edwards, who worked at a company called Trend Macro. If someone searching for an information security job might get confused with the actual security company Trend Micro.
Besides Trend Macro, six LinkedIn and eight Twitter profiles called themselves vulnerability researchers and HR personnel at different information security companies were created for this purpose. Others also impersonate as CEO and employees at the companies.
Google also said that it had contacted Twitter and LinkedIn for taking possible actions against the latest social media accounts. Fortunately, both social media platforms removed the fake accounts right away.
The fundamental purpose behind these attacks is still unclear. It’s suspected that the threat actor might aim to gain a hold on the systems to get hold of the zero-day research. During this entire process, use the unresolved vulnerabilities to launch the targets of their choice further.