Google late Monday raised the alarm about a “government-backed entity based in North Korea” targeting -- and hacking into -- computer systems belonging to security researchers.
Google’s Threat Analysis Group (TAG), a team that monitors global APT activity, said the ongoing campaign is aimed at security researchers working on vulnerability research and development at different companies and organizations.
The campaign, which is well organized across multiple online platforms, included drive-by browser compromises from booby-trapped websites.
“In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Google’s Adam Weidemann explained.
“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Weidewmann said, suggesting the possible use of zero-day exploits.
He said Google was unable to confirm the mechanism of compromise and asked for the public to report Chrome vulnerabilities, including those being exploited in the wild (ITW), to its Chrome's Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.
Google said the actors behind this campaign are linked to a government-backed entity based in North Korea, worked over time to build credibility and connect with security researchers.
The actors established a research blog and multiple Twitter profiles and used the Twitter accounts to post lin ..