The Lazarus Group Targeted Cybersecurity Researchers Again, Google Says
The North Korean Government-Backed Hacking Group Has Set Up A Fake Company Website to Target Security Researchers.
According to Google’s Threat Analysis Group research published yesterday, the North Korean state-sponsored operation has set up a fake security company and social media accounts as part of a broad campaign targeting cybersecurity researchers with malware linked to the Lazarus Group.
In January, the Threat Analysis Group documented a hacking campaign, which we were able to attribute to a North Korean government-backed entity, targeting security researchers. On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite.”
The attackers created a website, as well as a Twitter and LinkedIn account for a fake company named SecuriElite, located in Turkey. The company was supposedly offering offensive security services as the Google security team focused on hunting down the state-backed hackers.
In order to build credibility and connect with security researchers, the threat actors established a research blog and interacted with the potential targets via tweets.
They have posted links to their blog, videos of their claimed exploits, and amplified and retweeted posts from other accounts that they control.
The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action.
Thankfully, the attacks were discovered in their early stage as the SecuriElite site wasn’t yet set up to deliver any malicious payloads.
Active since at least 2009, Lazarus has also been linked to ransomware campaigns, cyber espionage, and cryptocurrency business attacks. They have also used COVID19-themed spear-phishing emails with malicious attachments or links as the initial access vector to the companies’ enterprise network. Once the document is opened, ThreatNeedle malware is installed, allowing the attacker to obtain full control of the victim’s device, manipulate it and remotely execute commands.
Threat Analysis Group’s Adam Weidemann said Google has not observed the new attacker website serve malicious content but has added it to Google Safebrowsing as a precaution.