Google LLC’s Threat Analysis Group issued a warning Monday that a North Korean advanced persistent threat group has been targeting security researchers working on vulnerability research and development at various companies and organizations.

The campaign involves the threat actors establishing a research blog and multiple Twitter accounts in an effort to build credibility and connect with security researchers. The blog is said to contain writeups and analyses of vulnerabilities that have been publicly disclosed and includes guest posts from legitimate security researchers that have been tricked into believing they’re being published on a legitimate site.

At least some of the exploits published on the blog may have been legitimate, but in one case, the threat actors faked the success of a claimed working exploit for a recently disclosed Windows Defenders vulnerability.

Having established fake bona fides, the North Korean hackers then reach out to security researchers offering to collaborate on vulnerability research. In the event the security researcher agrees, the hackers provide the researcher with a Visual Studio Project that included source code for exploiting the vulnerability along with an additional DLL. The DLL, however, includes custom malware that immediately connects with a command-and-control center controlled by the hackers.

“This appears to be an attempt to get broader access to a number of security researchers with the goal to have early information about the issues and vulnerabilities they are working on,” Dirk Schrader, global vice president at cybersecurity and compliance software company New Net Technologies Ltd., told SiliconANGLE. “If it would have been more successful – we don’t know yet how many researchers actually got caught — the APT group likely would have garnered valuable info and would have provided itself a head start on exploiting the vulnerabilities discovered by those researchers.”

Schrader explained the process by which a disclosure is used by researchers. “A bit simplified, they inform the vendor about their findings, the vendor verifies the findings and fixes the bug and with the release of the patch, the researcher gets the credit,” he said. “Google’s policy of a 90-day disclosure deadline tries to limit this period as for some vendors it can take ages.”

The issue is that with early access to newly found, fresh vulnerabilities, the APT groups can leap forward in their capabilities to attack networks and systems. “That is why it is critical to learn as much as possible about this social engineering attempt because it will serve as a template for others, similar to the SolarWinds attack,” he said.

Mike Kiser, senior identity strategist at identity and access management firm SailPoint Technologies Inc., noted that the incident serves as a cautionary tale that even the most security-aware can be victims. “It calls all of us to treat unknown persons online with a similar level of suspicion that we would if they came and knocked on our own front doors: asking probing questions of identity and examining any weaknesses or warning signs before allowing the conversation to continue,” he said.

Photo: fljckr/Flickr