North Korean hackers who attacked cybersecurity researchers were banned on Twitter

Twitter has blocked two accounts operated by North Korean hackers. These accounts were used to lure information security researchers to malicious sites.

Back in January 2021, Google experts  warned that North Korean hackers are attacking cybersecurity specialists engaged in vulnerability research. It turned out that social engineering was applied to specialists and tried to get into their trust, in order to eventually lure them to malicious sites and infect their systems with malware.

In the spring of this year, Google  discovered the continuation of this campaign: the website of the fake information security firm SecuriElite was found, as well as its Twitter and LinkedIn accounts, which were created by the same hacker group. Allegedly, the firm is located in Turkey and is engaged in pentests, software security assessments and exploits.

The attackers acted according to the old scheme: they planned to use accounts on social networks to communicate with information security specialists in order to lure researchers to their website, where browser exploits would be used against them.

It is still unknown what should have happened after infection. It seems that the point was that, having gained access to researchers’ computers, hackers were able to find and steal non-public exploits and vulnerability data, and could also spy on the victim’s employer (and information security companies and government agencies are classic targets for cyber espionage) …

We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shutdown in Aug, mavillon1 pic.twitter.com/FXQ0w57tyE

— Adam (@digivector) October 15, 2021

Now Twitter specialists have blocked two accounts controlled by North Korean hackers. The accounts @ lagal1990 and @ shiftrows13 were part of this long cyber-espionage campaign that began last year and, as mentioned above, was discovered by Google.

Google TAG analyst Adam Weidemann writes on Twitter that these accounts have posted cybersecurity-related content, including PoC exploits for new vulnerabilities, in the hopes of gaining a reputation in the cybersecurity community.

Both accounts had less than 1000 subscribers, and it is not entirely clear whether they were used to establish contacts with information security researchers or were still at the stage of building a reputation.

Catch up on more stories here