In January, Google and Microsoft outed what they said was North Korean government-sponsored hackers targeting security researchers. The hackers spent weeks using fake Twitter profiles—purportedly belonging to vulnerability researchers—before unleashing an Internet Explorer zero-day and a malicious Visual Studio Project, both of which installed custom malware.
Now, the same hackers are back, a Google researcher said on Wednesday, this time with a new batch of social media profiles and a fake company that claims to offer offensive security services, including penetration testing, software security assessments, and software exploits.
Once more with feeling
The homepage for the fake company is sleek and looks no different from countless real security companies all over the world.
The hackers also cooked up more than a dozen new social media profiles that purported to belong to recruiters for security companies, security researchers, and various employees of SecuriElite, the fake security company. The work that went into creating the profiles was fairly impressive.
My favorite is this Twitter profile of @seb_lazar, which presumably corresponds to Sebastian Lazarescue, one of the fake researchers working for the fake SecuriElite.
Security people all know that Lazarus is the name used to identify hackers backed by the North Korean government. Developing detailed Twitter and LinkedIn profiles for a researcher with your fake security company, naming him Sebastian Lazarescue, and having him retweeting lots of top-flight security researchers—some who work for Google—is next-level trolling.
Adam Weidemann, a researcher with Google’s Threat Analysis Group, cautions that the hackers’ past success in luring researchers to websites hosting an IE zero-day means the group should be taken seriously.
“Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days,” he wrote.