According to the Google’s new Threat Horizons report released this week, North Korean state-sponsored hackers posed as Samsung recruiters and sent false job offers to employees of South Korean security firms that sell anti-malware software.
The Google Threat Analysis Group, the Google security team that discovered the malicious emails, traced the attacks back to the same group of North Korean hackers who previously targeted security researchers on Twitter and other social networks in late 2020 and early 2021.
New campaign follows the discovery in January by Google’s Threat Analysis Group of a hacking campaign by the same North Korean entity targeting security researchers working on vulnerability research and development at various companies and organisations.
To gain credibility and connect with security researchers, the actors set up a research blog and multiple Twitter profiles to interact with potential targets. They have used these Twitter accounts to post links to their blog, videos of their alleged exploits and to amplify and retweet posts from other accounts under their control.
Concerning the new campaign, Google stated that the new website, like previous websites established by this actor, includes a link to their PGP (which can be used to send messages confidentially) public key at the bottom of the page.
The threat actor’s tactics have perplexed the security community, which believes the group attempted to acquire unreleased vulnerabilities and exploits from some of their misguided and careless members. This threat actor is being tracked by Microsoft under the codename “Zinc.”
However, the attack on South Korean antivirus makers may be different because compromising their employees may provide the group with access to the means to carry out a targeted supply chain attack against South Korean organisations where anti-malware software may be running.
Finally GTA Group’s Adam Weidemann concluded that, “The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security, We discovered two accounts on LinkedIn impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms so that appropriate action can be taken”.