In January 2021, Google’s Threat Analysis Group published a report detailing a cyber-espionage campaign carried out by a North Korea-linked threat actor that was targeting security experts involved in vulnerability research and development at different companies and organizations and it appears that the campaign is still ongoing.
The cyber-espionage operation involved the hackers using a number of tricks to gain victims’ trust, mostly by posing as researchers themselves. The attackers created their own research blogs containing analysis of vulnerabilities that had been publicly disclosed, and set up multiple Twitter profiles where they posted links to their blog and published videos of their claimed exploits.
In a new report on this threat Google said that in March 2021 the same attackers set up a new website with associated social media profiles for a fake company called “SecuriElite,” which allegedly provided security services, such as pentests, software security assessments and exploits.
This web site had a link to the threat actor’s PGP public key, which in previous attacks acted as the lure to visit the malicious site containing a browser exploit.
“The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google said.
The researchers said that they have not observed the new attacker website deliver malicious content, but they have added it to Google Safebrowsing as a precaution.
“Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days. We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process,” Google said.