Google Warning: North Korean Hackers Breach Windows And Chrome Defenses To Attack Security Researchers
North Korean hackers have been masquerading as cybersecurity bloggers in order to target researchers in the field, according to Google. They’re doing so by exploiting mysterious weaknesses in computers running the most up-to-date versions of Microsoft Windows and Google Chrome, the tech giant warned Monday.
Adam Weidemann, a researcher at Google’s Threat Analysis Group, said the attacks have been ongoing over the last three months. The hackers set up fake Twitter accounts to show off security research and link to a blog. One of the accounts—@br0vvnn—claimed to be the founder of @BrownSec3Labs and looked to be posting innocuous research as well as promoting others’ work, including Google’s own researcher Ben Hawkes. Earlier this month, another Google researcher, Thomas Shadwell, was sent a Twitter direct message by one of the hackers’ personas, Zhang Guo, though it’s unclear what they wanted. While the blog did contain some legitimate research (as well as faked material), it also hosted an exploit that would install a backdoor on the victim’s PC. Only Windows PCs have been attacked thus far.
“In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Weidemann wrote in a Google blog post.
“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have.”
Such “zero-day” vulnerabilities are rare and potent in the hands of a hacker, who can use them on any target knowing that their software will contain the relevant security holes. Weidemann noted that Google offers a cash reward for anyone who discloses such flaws, as Microsoft, Apple and many other tech companies do.
Google said that “a government-backed entity based in North Korea” was responsible. That the country is targeting security researchers, who often have the inside track on the latest exploits and holes in different software, could cause alarm among Western nations. North Korea has been linked with some of the most brazen and aggressive hacking attacks in recent years that stretch from targeting governments and bitcoin heists, to leaking thousands of Sony Pictures’ emails and files online.
The hackers also got more personal with their targets, Weidemann added. They would ask a researcher if they wanted to collaborate on vulnerability research together, providing them with a Microsoft Visual Studio project. That project contained malicious code that would launch on the target’s PC and start beaconing back to the hackers, who could then explore the infected system for further weaknesses.
Weidemann provided a list of websites, as well as Twitter, LinkedIn, Telegram and Keybase accounts used by the hackers. He suggested that anyone who communicated with any of these accounts or visited the actors’ blog to review their systems for signs of a breach.