Skip to main content

Google warns of ‘novel social engineering method’ used to hack security researchers

Google warns of ‘novel social engineering method’ used to hack security researchers

/

Government-backed hackers in North Korea are reportedly responsible

Share this story

An image showing a lock made up of binary code
Illustration by Alex Castro / The Verge

Government-backed hackers based in North Korea are targeting individual security researchers through a number of means including a “novel social engineering method,” Google’s Threat Analysis Group is reporting. The campaign has reportedly been ongoing for several months, and worryingly appears to exploit unpatched Windows 10 and Chrome vulnerabilities.

Although Google doesn’t say exactly what the aim of the hacking campaign is, it notes that the targets are working on “vulnerability research and development.” This suggests the attackers may be trying to learn more about non-public vulnerabilities that they can use in future state-sponsored attacks.

Hackers set up a network of Twitter accounts and a cybersecurity blog

According to Google, the hackers set up a cybersecurity blog and series of Twitter accounts in an apparent attempt to build and amplify credibility while interacting with potential targets. The blog focused on writing up vulnerabilities that were already public. Meanwhile, the Twitter accounts posted links to the blog, as well as other alleged exploits. At least one of the purported exploits was faked, according to Google. The search giant cites several cases of researchers’ machines having been infected simply by visiting the hackers’ blog, even when running the latest versions of Windows 10 and Chrome.

The social engineering method outlined by Google involved contacting security researchers, and asking them to collaborate on their work. However, once they agreed, the hackers would send over a Visual Studio Project containing malware, which would infect the target’s computer and start contacting the attackers’ server.

According to Google, the attackers used a range of different platforms — including Telegram, LinkedIn and Discord — to communicate with potential targets. Google listed specific hacker accounts in its blog post. It says anyone who’s interacted with these accounts should scan their systems for any indication they’ve been compromised, and move their research activities onto a separate computer from their other day-to-day usage.

The campaign is the latest incident of security researchers being targeted by hackers. Last December, a leading US cybersecurity firm FireEye disclosed that it had been compromised by a state-sponsored attacker. In the case of FireEye, the target of the hack were internal tools it uses to check for vulnerabilities in its client’s systems.