In a report published today, Google has revealed that its Threat Analysis Group (TAG) has identified what appears to be a group of North Korean government-backed hackers using social media to target cybersecurity researchers.
Google TAG member Adam Weidemann called it an "ongoing campaign" that targeted security researchers working on "vulnerability research and development" in a blog post published on Tuesday. The North Korean group uses social media platforms like Twitter, LinkedIn, Telegram, Discord, Keybase and E-mail to get access to these researchers who work on identifying security issues in software.
"In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets," Weidemann wrote. "They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control."
The hackers would build a rapport with researchers and invite them to collaborate on finding bugs and vulnerabilities in security software which they would then try to exploit, Weidemann said. They would also invite researchers onto a blog hosted by the hackers and then install a software that would allow the researcher's computer to be accessed by the hacker.
"At this time we're unable to confirm the mechanism of compromise," said Weidemann although he welcomed any information about the security flaw.
The TAG team has recommended that researchers exercise caution when accepting third-party files and to use separate physical or virtual machines for general browsing and research activities.