[TheRecord] Twitter suspends two accounts used by DPRK hackers to catfish security researchers

Twitter has suspended today two accounts operated by North Korean government hackers and used as part of a clever plot to attract security researchers to malicious sites and infect their systems with malware.

The accounts —@lagal1990 and @shiftrows13— are part of a long-lived DPRK cyber-espionage campaign that began last year and specifically targets members of the cybersecurity community.

First exposed by the Google Threat Analysis Group in January this year, this campaign is still ongoing.

At the time, Google said that North Korean agents worked for months to create personas for fake security researchers on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, which they used to post infosec-related content, gain a reputation in the industry, and reach out to security researchers.

If victims responded, the DPRK hackers would ask researchers to work together on various projects and eventually lure them to sites hosting malicious JavaScript code that would infect their victims’ computers with malware.

While unclear what happened after an infection took place, the general theory was that DPRK agents would gain access to the researchers’ computers and search and steal non-public exploits or vulnerability write-ups, or spy on the researcher’s employer— which could be security firms or governments agencies, classical targets of North Korean espionage.

Even if Google exposed this campaign in January, the attacks did not stop. In March, Google said it found new Twitter accounts part of this operation and even a fake cybersecurity company named SecuriElite that the North Korean hackers used as part of their catfishing attempts.

Since then, both Google TAG and the infosec community have been on the lookout for new accounts that may be linked to this operation.

Accounts had been active for months

Today, Adam Weidemann, an analyst with Google TAG, said that Twitter had suspended two new accounts part of this operation after another one was suspended in August.

We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shutdown in Aug, mavillon1 pic.twitter.com/FXQ0w57tyE

— Adam (@digivector) October 15, 2021

Just like in the previous cases, the accounts posted cybersecurity-related content, such as proof-of-concept code for recently disclosed exploits, in the hopes of gaining a reputation in the infosec community.

None of the two accounts had more than 1,000 followers.

It is unclear if the two accounts had contacted other researchers or if they were still in the reputation-building phase.

The post Twitter suspends two accounts used by DPRK hackers to catfish security researchers appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-08-14

In the Balkans, businesses are under fire from a doublebarreled weapon www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/ Weve discovered an ongoing campaign in the Balkans spreading two tools having a similar purpose: a backdoor and a remote access trojan we named, respectively, BalkanDoor and BalkanRAT August Patch Tuesday: Update Fixes Wormable Flaws in Remote Desktop Services, VBScript Gets Disabled by […]

Read More

[SecurityWeek] Bit Discovery Banks $4 Million for Attack Surface Management Tech

All posts, Security Week

Jeremiah Grossman’s Bit Discovery has banked another $4 million in venture capital funding to compete in the crowded attack surface management space. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] ‘Serial’ romance fraudster jailed for trying to scam 670 people in the UK

All posts, ZDNet

Victims were conned out of thousands of pounds, including one woman who was terminally ill. Source: Read More (Latest topics for ZDNet in Security)

Read More