Twitter Suspends North Korean Threat Actor AccountsGoogle TAG: Threat Group DPRK Targeted Security Researchers
Social media platform Twitter has suspended two accounts that were being used by members of the DPRK, a North Korean government-backed threat group, according to Adam Weidemann, an analyst with the Google Threat Analysis Group.
Weidemann reports that independent researchers Francisco Alonso and Javier Marcos identified the threat actors and shared the information with Google's Threat Analysis Group or TAG, which confirmed the findings.
Props to @revskills and @javutin who identified and reported more DPRK Twitter profiles. Both accounts, @lagal1990 and @shiftrows13, posed as security researchers - leaning on the hype of 0 days to gain followers and build credibility. pic.twitter.com/ICYu6DKyzQ— Adam (@digivector) October 15, 2021
"We [Google TAG] confirmed these [threat actor accounts] are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shut down in Aug, mavillon1," Weidemann adds.
In a Jan. 25, 2021 security blog, Google TAG informed users of an ongoing campaign, attributed to "a government-backed entity based in North Korea," targeting security researchers.
At the time, the Google TAG researchers noted that the bad actors created several Twitter profiles to pose as security researchers to interact with potential targets. The threat actors built trust and directed their targets to malicious links and web pages. They also leveraged other social media channels such as LinkedIn, Keybase and Telegram to approach security researchers, according to the Google TAG.
The threat actors also hosted a blog (blog.br0vvnn[.]io), which comprised analysis and description of publicly disclosed vulnerabilities. They also frequently tweeted links to posts on the blog from fake social media profiles to give their impersonation tactics an air of legitimacy, the researchers say. The blog was also used to load malware in the systems of security researchers who visited the link, they add.
The campaign followed a simple tactic. "After establishing initial communications, the actors ask the targeted researchers if they want to collaborate on a vulnerability research together, and then provide the researcher with a Visual Studio Project," says the Google TAG blog. This project contains an extra DLL file that the TAG researchers attribute to the hidden malware. "The DLL is custom malware that would immediately begin communicating with actor-controlled C2 [command and control] domains," the researchers say.
The TAG researchers were, however, unsure about the vulnerability exploited by the malware to load itself on the victim's computer. They encouraged researchers to find the Chrome vulnerability and report any exploitations in the wild via the Chrome vulnerability reward program.
Despite being identified by the Google TAG team in January, the campaign did not cease to exist. In March 2021, the researchers discovered yet another fake website, registered under a hoax company banner called SecuriElite. The company, supposedly based in Turkey, claimed to offer offensive security services such as pentesting, software security assessments and exploits.
Although the researchers did not find any malicious content on the SecuriElite website, they added it to Google's blacklisting service Safebrowsing since it was hosted by the same North Korean threat actor.
The latest suspension of fake Twitter accounts is not the first in the campaign. Researchers Francisco Alonso and Javier Marcos in May flagged two other fake accounts - @fdh0mu and @m7research - to the researchers at the Google TAG team, who analyzed the claim before reporting it to Twitter. The social media platform suspended the accounts in August 2021, according to Alonso.
These accounts have recently been suspended. @javutin and I followed the activity of those accounts for some time and on May 28th, we decided to notify Google's Threat Analysis Group. https://t.co/auubjBuCw1— Francisco Alonso (@revskills) August 6, 2021