Micro Focus is now part of OpenText. Learn more >

You are here

You are here

APT team attacks white hats: Google fingers North Korea

Richi Jennings Your humble blogwatcher, dba RJA
North Korean military personnel

North Korean state-sponsored hackers are targeting and attacking white-hat security researchers. They’re using a combination of zero-day exploits, Trojan-laced VS project bundles, and good old social engineering.

So says Google’s Threat Analysis Group (TAG), which has been looking into the perps. It’s blaming APT38 (a.k.a. Lazarus Group, DarkSeoul, ZINC, etc.)

And there are lessons for all of us. In this week’s Security Blogwatch, let’s be careful out there.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: shanties jump the shark.


What’s the craic? Catalin Cimpanu reports—North Korean hackers have targeted security researchers via social media:

A North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research. … The attacks have been spotted by … TAG, a Google security team specialized in hunting advanced persistent threat (APT) groups.

[It’s been] linked to the Lazarus Group, a well-known North Korean state-sponsored operation. … Some security researchers believe the North Korean group most likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy their malicious code.

The reason for targeting security researchers? … To steal exploits for vulnerabilities discovered by the infected researchers, vulnerabilities that the threat group could deploy in its own attacks with little to no development costs.

And Jon Porter carries the story—Google warns of ‘novel social engineering method’:

Government-backed hackers based in North Korea are targeting individual security researchers through a number of means. [It] worryingly appears to exploit unpatched Windows 10 and Chrome vulnerabilities.

[TAG] cites several cases of researchers’ machines having been infected simply by visiting the hackers’ blog, even when running the latest versions of Windows 10 and Chrome. … The attackers used a range of different platforms — including Telegram, LinkedIn and Discord.

Let’s go to the horse’s mouth. Google TAG’s Adam Weidemann hits the panic button—New campaign targeting security researchers:

The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers. … We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant.

The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research [via] a Visual Studio Project. Within the Visual Studio Project would be [a] DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2.

We have also observed several cases where researchers have been compromised after visiting the actors’ blog. … Shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing. … We’re unable to confirm the mechanism of compromise.

We recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties, and your own security research.

So who got hacked? Gareth Corfield relates Alejandro Caceres’ story—I was targeted by North Korean 0-day hackers:

"When I read the Google thing I honestly think I said out loud, 'Holy ****,' I thought it was insane. Attacked by a nation state? Me!?"

A vulnerability broker he had known for a while and trusted had introduced him to a new researcher called James Willy "from New York," Caceres [said]. "We hopped in a group chat, the three of us, and he sent me a Visual Studio project to take a look at a driver bug that caused a blue screen of death."

"James" [said] it was linked to Google Chrome – an instant attention-grabber for bug hunters. Vulns affecting software used by tens of millions worldwide are rare and command hefty rewards. … "The code was all legit, it was a real crash with potential security implications, but I wasn't careful when I opened the Visual Studio project." [But] opening some Visual Studio projects can cause code to execute, which was the North Koreans' attack vector.

Sometimes – just sometimes – those evil nation state hackers really are coming after you. Being an ordinary bughunting pro doesn't make you less of a target.

But this Anonymous Coward is distinctly unimpressed:

A whitehat that runs Windows 10, Chrome and Visual Studio outside of a sandbox doesn't deserve to be called a hacker.

A unique exploit? Nope: Seongsu Park—@unpacker—has déjà vu:

We have seen that Lazarus group use this malware cluster, we named ThreatNeedle, in recent attack against the defense industry. It’s almost identical malware with the same RC4 key and the overlapped infrastructure. Surprised that it's a researcher target at this time.

Wait. Pause. How do we know it was the DPRK, anyway? martinusher ain’t convinced:

I think there's some kind of dice or spinner that they use that's marked "Russia, China, Iran, Cuba, North Korea" and so on that news services use to identify the 'nation state' responsible for the hack du jour.

I'm not ruling out nation states, just that there are a lot more criminals out there than there are nation states. There's also good money to be made from vulnerabilities so I'd expect that less than ethical people would have moved in to what is a decent business opportunity.

Indeed. scooby359 would have gotten away with it, if it wasn’t for you pesky kids: [You’re fired—Ed.]

I’m always curious how such a seemingly backwards country can have such advanced cyber security skills.

Yeah, right. Brian Bixby agrees:

I'm still surprised that the "North Korean Super-Hacker" foolishness is still a thing. They have a single … fiber line that goes through the Great Firewall of China (until a few years ago it was a paired T-3 to Taiwan that frequently was congested by Kim's porn habit.)

IIRC there's one small data center in the entire country with obsolete cast-off Chinese servers. … They don't have the capability to hire any decent instructors for their tiny educated class to teach them hacking.

And yet we're supposed to tremble in our boots that the North Korean Super-Hackers are coming to get us. Seems far more likely some criminals in China or Hong Kong are spoofing NK addresses.

Meanwhile, QuantifiableQuoll has this warning for us all:

The blog was also linked to on various security subreddits. If you’re the type of person who frequents those subreddits, you will want to check your computer over.

The moral of the story?

Social engineering isn’t only for normies. Whether you’re an IT puke, an agile Dev(Sec)Ops sprinter, or a 1337 haxor: Question everything.

And finally

Can we all agree? That’s enough sea shanties.

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Micha Brändli (via Unsplash)

Keep learning

Read more articles about: SecurityInformation Security