One early January morning, security researcher Zuk Avraham got a nondescript direct message out of the blue on Twitter: “Hi.” It was from someone named Zhang Guo. The short, unsolicited messaged wasn't too unusual; as the founder of both the threat-monitoring firm ZecOps and the antivirus firm Zimperium, Avraham gets a lot of random DMs.
Zhang claimed to be a web developer and bug hunter in his Twitter bio. His profile showed that he'd created his account last June and had 690 followers, perhaps a sign that the account was credible. Avraham responded with a simple hello later that night, and Zhang wrote back immediately: “Thanks for your reply. I have some questions?” He went on to express interest in Windows and Chrome vulnerabilities and to ask Avraham if he was himself a vulnerability researcher. That’s where Avraham let the conversation trail off. “I didn’t reply—I guess being busy saved me here,” he told WIRED.
Avraham wasn’t the only one who had this sort of conversation with the “Zhang Guo” Twitter account and its associated aliases, all of which are now suspended. Dozens of other security researchers—and possibly even more—in the United States, Europe, and China received similar messages in recent months. But as Google's Threat Analysis Group revealed Monday, those messages weren't from bug-hunting hobbyists at all. They were the work of hackers sent by the North Korean government, part of a sweeping campaign of social engineering attacks designed to compromise high-profile cybersecurity professionals and steal their research.
The attackers didn't limit themselves to Twitter. They set up identities across Telegram, Keybase, LinkedIn, and Discord as well, messaging established security researchers about potential collaborations. They ..
Support the originator by clicking the read the rest link below.
